ColdFusion must transmit only encrypted representations of passwords to the mail server.

From Adobe ColdFusion 11 Security Technical Implementation Guide

Associated with: CCI-000197

SV-76949r1_rule ColdFusion must transmit only encrypted representations of passwords to the mail server.

Vulnerability discussion

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised.ColdFusion may use username/password to connect to a mail server. When this authentication method is used, it is important that the credentials be protected when transmitted by being encrypted. While TLS encryption is the preferred method by DoD, SSL can be used when the mail server does not offer any other method of encryption.

Check content

Within the Administrator Console, navigate to the "Mail" page under the "Server Settings" menu. If a user name and password are required for authentication and "Enable TLS connection to mail server" is unchecked and "Enable SSL socket connects to mail server" is unchecked, this is a finding.

Fix text

Navigate to the "Mail" page under the "Server Settings" menu. Enable SSL/TLS by checking "Enable SSL socket connections to mail server" and/or "Enable TLS connection to mail server" options and select the "Submit Changes" button.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.