ColdFusion must require a username and password for access by each authorized user access.

From Adobe ColdFusion 11 Security Technical Implementation Guide

Part of SRG-APP-000080-AS-000045

Associated with: CCI-000166

SV-76855r1_rule ColdFusion must require a username and password for access by each authorized user access.

Vulnerability discussion

Non-repudiation of actions taken is required in order to maintain application integrity. Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. Non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document. Enforcing non-repudiation of actions requires that each user be identified. Without this identification, events cannot be traced to a user, and a forensic investigation cannot be conducted to determine what exactly happened and who caused the event to occur. By forcing users to authenticate, each auditable event can be tied to a user, and a sequence of events for the user can be determined. This is critical when investigating an issue or an attack.

Check content

Access the "Administrator" page under the "Security" menu within the Administrator Console. If the "Separate user name and password authentication" is not selected, this is a finding.

Fix text

Access the "Administrator" page under the "Security" menu within the Administrator Console. Select "Separate user name and password authentication" and select the "Submit Changes" button.

Pro Tips

Powered by sagemincer