UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The ColdFusion Administrator Console must transmit only encrypted representations of passwords.


Overview

Finding ID Version Rule ID IA Controls Severity
V-62457 CF11-04-000134 SV-76947r1_rule Medium
Description
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. ColdFusion uses username and password for users to authenticate to the Administrator Console. When these credentials are sent in plaintext, an attacker can capture the information and use the credentials to log on to the console, creating objects, connections, and accounts for later use. The attacker will also have access to information stored for connections to other systems that ColdFusion may be connected to for data retrieval.
STIG Date
Adobe ColdFusion 11 Security Technical Implementation Guide 2017-06-15

Details

Check Text ( C-63261r1_chk )
Access the Administrator Console through a web browser. Look for indications that the communication is an https session through the prefix of https on the url and/or the lock icon, depending on the browser in use.

If https does not appear to be in use, this is a finding.
Fix Text (F-68377r1_fix)
Review the documentation for the web server where the Administrator Console is being hosted and setup https encryption to protect passwords during the authentication process.