ColdFusion must only allow approved file extensions.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-62405 | CF11-03-000096 | SV-76895r1_rule | Medium |
| Description |
|---|
| Application servers provide a myriad of differing processes, features, and functionalities. Some of these processes may be deemed to be unnecessary or too unsecure to run on a production DoD system. One area of concern is the file types that can be included in cfm and cfml files by programmers. To control what types of technologies are used in the development of hosted applications, a default whitelist can be created and approved by the ISSO. This list includes only those file extensions that are used by the hosted applications. By default, cfm and cfml are included and do not have to be specified. The list must not contain the wildcard string "*.*". |
| STIG | Date |
|---|---|
| Adobe ColdFusion 11 Security Technical Implementation Guide | 2017-12-31 |
Details
| Check Text ( C-63209r1_chk ) |
|---|
| Within the Administrator Console, navigate to the "Settings" page under the "Server Settings" menu. If "Allowed file extensions for CFInclude tag" is empty, this is not a finding. If the "Allowed file extensions for CFInclude tag" contains the wildcard string "*.*" or if the list of file extensions is not the list approved by the ISSO, this is a finding. |
| Fix Text (F-68325r1_fix) |
|---|
| Navigate to the "Settings" page under the "Server Settings" menu. Enter the list of approved file extensions in the "Allowed file extensions for CFInclude tag" field and select the "Submit Changes" button. A blank list will only allow cfm and cfml files to be included and fulfills this requirement. |