Due to many politics and things out of my control here, we will be continuing running a public production CF 11 host with no end date in sight. (which is part of those politics - they actually appear to want it to fail)
Since it is unsupported and will never be updated, I’m just wondering if there are mitigation steps I can take to ensure even known issues are not available to hackers?
Any extraneous services, packages, etc. I can make sure are off/removed, etc.?
This is a Lucee forum. We can help you convert that app to run on Lucee (probably not much work). Otherwise, I’d recommend asking this on the Adobe forums.
Good work. I’d go ahead and accidentally deploy that to prod. They won’t even know
As far as the answer to your original question, here’s a quick list:
Ensure the CF Admin is not publicly accessible (SUPER IMPORTANT)
Get on the latest version of java 8 at least
Check for and remove any usage of XML parsing if you can (or at least ensure the XML doesn’t come from users-- this can include office files in XML format)
Be wary of any other CFIDE access such as ajax scripts, cfimage paths, cfchart parths. I’d block anything you’re not using
Make sure all firewall ports other than 80 are blocked so no RMI servers are accessible
Don’t use any of their CKEditor stuff is in use (cftextarea)
Make sure CF is running as a user with as little permissions as possible
Make sure your datasource login is NOT using sa, but an account with the smallest permissions possible
Check your codebase for missing query params
Ensure you have pretty error pages, missing template handlers, at every CF and web server level so it’s very hard for anyone to ever see a raw CF error message or to even know you’re using CF