The ColdFusion Administrator Console must transmit only encrypted representations of passwords.

From Adobe ColdFusion 11 Security Technical Implementation Guide

Associated with: CCI-000197

SV-76947r1_rule The ColdFusion Administrator Console must transmit only encrypted representations of passwords.

Vulnerability discussion

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.ColdFusion uses username and password for users to authenticate to the Administrator Console. When these credentials are sent in plaintext, an attacker can capture the information and use the credentials to log on to the console, creating objects, connections, and accounts for later use. The attacker will also have access to information stored for connections to other systems that ColdFusion may be connected to for data retrieval.

Check content

Access the Administrator Console through a web browser. Look for indications that the communication is an https session through the prefix of https on the url and/or the lock icon, depending on the browser in use. If https does not appear to be in use, this is a finding.

Fix text

Review the documentation for the web server where the Administrator Console is being hosted and setup https encryption to protect passwords during the authentication process.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.