The best way to secure Adobe ColdFusion is to follow the appropriate lockdown guide for the version that the site is running.
- ColdFusion 9 - https://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf
- ColdFusion 10 - https://www.adobe.com/content/dam/Adobe/en/products/coldfusion-enterprise/pdf/cf10-lockdown-guide.pdf
- ColdFusion 11 - http://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf11/cf11-lockdown-guide.pdf
If you find the lockdown guides too difficult to follow, there are some basic steps one can take to make the existing ColdFusion installation more secure.
- Restrict or eliminate access to sensitve directories within /CFIDE in the web server
- Set Missing Template Handler and Site-wide Error Handler in the ColdFusion Administrator
- Disable Enable Robust Exception Information and disable Enable Request Debugging Output
- Make sure that RDS is disabled in the ColdFusion Administrator and commented out in web.xml
- If you are running on ColdFusion 10 or higher make sure ColdFusion stays updated with Server Updates. If you are running either ColdFusion 8.0.1 or 9.0.x, recommend using Unofficial Updater 2 to apply patches to ColdFusion
- Stay on a supported version of ColdFusion. Once Core Support ends for a version, Adobe will no longer release security patches for it. ColdFusion 9.0.x Core Support ends December 31, 2014.
Coding Best Practices
While ColdFusion has added language features for writing more secure code, applications using ColdFusion are seldom updated for security or developers trained in how to write more secure code. ColdFusion 10 introduced much better support for defending against Cross Site Scripting (XSS) by leveraging the OWASP ESAPI Encoder functions. It is possible to get similar functionality by calling the OWASP ESAPI Java library directly in ColdFusion or by using CFBackPort for older versions of ColdFusion. Another vulnerability that is too common is SQL Injection. ColdFusion has had a way to defend against most common forms since version 4.5 when <cfqueryparam> was introduced, yet there are still plenty of applications out there were it is not used.
While securing ColdFusion is important all aspects of the software running the web site/application must be looked at. The OS, web server, database server all need to be properly secured for the overall server to be secure. Depending upon security requirements for given organizations we suggest looking at CIS Benchmarks or DISA STIGs to assist in securing other parts of the web stack.
Contact us if you need help securing you server.