ColdFusion must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which logable events are to be logged.

From Adobe ColdFusion 11 Security Technical Implementation Guide

Part of SRG-APP-000090-AS-000051

Associated with: CCI-000171

SV-76861r1_rule ColdFusion must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which logable events are to be logged.

Vulnerability discussion

ColdFusion utilizes role-based access controls in order to specify those individuals who are able to configure logable events. Allowing users other than the ISSM and appointed individuals access to turn logged events on or off allows a user to mask their actions by disabling logging. By enabling excessive logging or by enabling debugging, a user can generate logged events containing information that can be used to later attack the system or gain access to Personally Identifiable Information (PII).

Check content

Review the roles assigned to the defined users within the "User Manager" page under the "Security" menu. Only the ISSM, or users appointed by the ISSM to change logable events, may have the following roles: Debugging and Logging>Logging Debugging and Logging>Code Analyzer Debugging and Logging>Debugging Debugging and Logging>License Scanner Debugging and Logging>System Probes If any other users have any of these roles, then this is a finding.

Fix text

Navigate to the "User Manager" page under the "Security" menu and assign the following roles to the ISSM and users appointed by the ISSM to change logable events. Debugging and Logging>Logging Debugging and Logging>Code Analyzer Debugging and Logging>Debugging Debugging and Logging>License Scanner Debugging and Logging>System Probes

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer