Lucee's former self, Railo, reportedly had a security breach

“you know Railo has an unpatched security exploit”, can anyone elaborate on that?


I’m not aware of any of the vulnerabilities that are not fixed in Railo actually being exploited in the wild, but there have been a few security issues reported by security researchers like Foundeo over the last few years that have been fixed in Lucee that would remain unfixed in Railo. As to what the specifics of the vulnerabilities are, those have not and will not be documented. None of the vulns were inherently exploitable without an application that used specific code that could potentially manipulated via URL or Form. Therefore it’s impossible to say that any specific Railo server would be vulnerable but I think the point to take away from this is that Railo is a dead project not receiving updates and Lucee is receiving regular updates of all manners including security fixes. If you have any Railo sites, you should really upgrade them.


Probably not a good idea to publicize things like that.

Keep in mind that any unmaintained software is susceptible to vulnerabilities and as far as I know no one maintains Railo, so if anyone is still using it, it is strongly recommended to upgrade to a maintained version.


Ok, thanks Brad.