From Adobe ColdFusion 11 Security Technical Implementation Guide
Part of SRG-APP-000133-AS-000092
Associated with: CCI-001499
Application servers have the ability to specify that the hosted applications utilize shared libraries. Within ColdFusion, these shared libraries are often Java components along with server settings. By allowing programmers or attackers to write CFML code that can directly access these components and settings, the programmer can change how shared Java components work and create new Java components. By disabling this option, the programmer is unable to read or modify administration and configuration information for the server and shared Java components.
Within the Administrator Console, navigate to the "Settings" page under the "Server Settings" menu. If "Disable access to internal ColdFusion Java components" is unchecked, this is a finding.
Navigate to the "Settings" page under the "Server Settings" menu. Check "Disable access to internal ColdFusion Java components" and select the "Submit Changes" button.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer