ColdFusion must disable creation of unnamed applications.

From Adobe ColdFusion 11 Security Technical Implementation Guide

Associated with: CCI-001082

SV-76957r1_rule ColdFusion must disable creation of unnamed applications.

Vulnerability discussion

ColdFusion allows applications to be named or unnamed. The application name allows the developer to scope the application or define a logical application and allows for the separation of applications. When an application is unnamed, the application scope corresponds to the ColdFusion JEE servlet context. This also means that the application session corresponds directly to the session object of the JEE application server. Having unnamed applications is only necessary when the ColdFusion pages must share application or session scope data with existing JSP pages and servlets.Disabling the ability for unnamed applications allows the Administrator Console and all the other hosted applications to be isolated from each other.

Check content

Within the Administrator Console, navigate to the "Settings" page under the "Server Settings" menu. If "Disable creation of unnamed applications" is unchecked, this is a finding.

Fix text

Navigate to the "Settings" page under the "Server Settings" menu. Check "Disable creation of unnamed applications" and select the "Submit Changes" button.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.