UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

ColdFusion must only allow approved file extensions.


Overview

Finding ID Version Rule ID IA Controls Severity
V-62405 CF11-03-000096 SV-76895r1_rule Medium
Description
Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. One area of concern is the file types that can be included in cfm and cfml files by programmers. To control what types of technologies are used in the development of hosted applications, a default whitelist can be created and approved by the ISSO. This list includes only those file extensions that are used by the hosted applications. By default, cfm and cfml are included and do not have to be specified. The list must not contain the wildcard string "*.*".
STIG Date
Adobe ColdFusion 11 Security Technical Implementation Guide 2017-06-15

Details

Check Text ( C-63209r1_chk )
Within the Administrator Console, navigate to the "Settings" page under the "Server Settings" menu. If "Allowed file extensions for CFInclude tag" is empty, this is not a finding.

If the "Allowed file extensions for CFInclude tag" contains the wildcard string "*.*" or if the list of file extensions is not the list approved by the ISSO, this is a finding.
Fix Text (F-68325r1_fix)
Navigate to the "Settings" page under the "Server Settings" menu. Enter the list of approved file extensions in the "Allowed file extensions for CFInclude tag" field and select the "Submit Changes" button. A blank list will only allow cfm and cfml files to be included and fulfills this requirement.