ColdFusion accounts with access to the Administrator Console must be approved.

From Adobe ColdFusion 11 Security Technical Implementation Guide

Associated with: CCI-000366

SV-76925r1_rule ColdFusion accounts with access to the Administrator Console must be approved.

Vulnerability discussion

ColdFusion offers an Administrator Console that is used to setup ColdFusion. The console allows the administrator to setup user accounts, user privileges, logging, data sources, etc. These accounts, once setup, do not automatically lock after a set duration of inactivity or any other security event that would require automatic locking or deletion. This would enable an account for a user who either left the organization or changed job roles, to continue access the console until the account is manually deleted.To make certain that the user accounts are only those that are needed, the accounts must be approved by the ISSM.

Check content

Review the users within the "User Manager" page under the "Security" menu. If users exist that are not approved by the ISSM, this is a finding.

Fix text

Navigate to the "User Manager" page under the "Security" menu. Modify the list of users to only contain those approved by the ISSM.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.