ColdFusion must have example data sources removed.

From Adobe ColdFusion 11 Security Technical Implementation Guide

Part of SRG-APP-000141-AS-000095

Associated with: CCI-000381

SV-76909r1_rule ColdFusion must have example data sources removed.

Vulnerability discussion

ColdFusion is installed with sample data services, gateway services, and collections. These can be used in a development environment to learn how to use and develop applications and services, but these samples are not tested and patched for security issues. Allowing them to be available on a production system provides a gateway to an attacker to the application server and to those systems connected to ColdFusion. To alleviate this issue, sample code and services must be deleted.

Check content

Several sample services are installed with the ColdFusion server. From the Administrator Console, go to the "Data Sources" page under the "Data & Services" menu. If the data sources cfartgallery, cfbookclub, cfcodeexplorer, or cfdocexamples exist, this is a finding.

Fix text

Remove the sample data sources by navigating to the "Data Sources" page under the "Data & Services" menu. Delete the data sources cfartgallery, cfbookclub, cfcodeexplorer, and cfdocexamples.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer