ColdFusion must have ColdFusion component (CFC) type checking enabled.

From Adobe ColdFusion 11 Security Technical Implementation Guide

Associated with: CCI-002754

SV-77027r1_rule ColdFusion must have ColdFusion component (CFC) type checking enabled.

Vulnerability discussion

Invalid user input occurs when a user inserts data or characters into an application's data entry field and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or information system compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application.Invalid input can also occur within applications to ColdFusion components. The parameters can be input from users that are not properly type checked or from data computed within the application. When the data is not type checked, the receiving component may cause an error that is unhandled or throw an exception that puts the application server and/or hosted application into an unsecure posture. To limit invalid calls, ColdFusion component (CFC) type checking must be disabled.

Check content

Within the Administrator Console, navigate to the "Settings" page under the "Server Settings" menu. If the "Disable CFC Type check" is checked, this is a finding.

Fix text

Navigate to the "Settings" page under the "Server Settings" menu. Uncheck "Disable CFC Type check" and select the "Submit Changes" button.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.