From Adobe ColdFusion 11 Security Technical Implementation Guide
Part of SRG-APP-000141-AS-000095
Associated with: CCI-000381
ColdFusion is installed with sample data services, gateway services, and collections. These can be used in a development environment to learn how to use and develop applications and services, but these samples are not tested and patched for security issues. Allowing them to be available on a production system provides a gateway to an attacker to the application server and to those systems connected to ColdFusion. To alleviate this issue, sample code and services must be deleted.
Several sample services are installed with the ColdFusion server. From the Administrator Console, go to the "Data Sources" page under the "Data & Services" menu. If the data sources cfartgallery, cfbookclub, cfcodeexplorer, or cfdocexamples exist, this is a finding.
Remove the sample data sources by navigating to the "Data Sources" page under the "Data & Services" menu. Delete the data sources cfartgallery, cfbookclub, cfcodeexplorer, and cfdocexamples.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer