ColdFusion must have example collections removed.

From Adobe ColdFusion 11 Security Technical Implementation Guide

Part of SRG-APP-000141-AS-000095

Associated with: CCI-000381

SV-76937r1_rule ColdFusion must have example collections removed.

Vulnerability discussion

ColdFusion is installed with sample data services, gateway services, and collections. These can be used in a development environment to learn how to use and develop applications and services, but these samples are not tested and patched for security issues. Allowing them to be available on a production system provides a gateway to an attacker to the application server and to those systems connected to ColdFusion. To alleviate this issue, sample code and services must be deleted.

Check content

Several sample services are installed with the ColdFusion server. From the Administrator Console, go to the "ColdFusion Collections" page under the "Data & Services" menu. If the bookclub collection exists, this is a finding.

Fix text

Remove the sample collections by navigating to the "ColdFusion Collections" page under the "Data & Services" menu. Delete the bookclub collection.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer