Securing ACF 11 as much as possible?

dev
1

Due to many politics and things out of my control here, we will be continuing running a public production CF 11 host with no end date in sight. (which is part of those politics - they actually appear to want it to fail)

Since it is unsupported and will never be updated, I’m just wondering if there are mitigation steps I can take to ensure even known issues are not available to hackers?

Any extraneous services, packages, etc. I can make sure are off/removed, etc.?

Appreciate everyone’s feedback.

2

This is a Lucee forum. We can help you convert that app to run on Lucee (probably not much work). Otherwise, I’d recommend asking this on the Adobe forums.

3

Oh trust me, I have a Lucee replacement ready-to-go once (if) the politics clear.

I will definitely ask there too, but I’ve often found much better responses here. Gee, I wonder why? :rofl:

4

Good work. I’d go ahead and accidentally deploy that to prod. They won’t even know :slight_smile:

As far as the answer to your original question, here’s a quick list:

  • Ensure the CF Admin is not publicly accessible (SUPER IMPORTANT)
  • Get on the latest version of java 8 at least
  • Check for and remove any usage of XML parsing if you can (or at least ensure the XML doesn’t come from users-- this can include office files in XML format)
  • Be wary of any other CFIDE access such as ajax scripts, cfimage paths, cfchart parths. I’d block anything you’re not using
  • Make sure all firewall ports other than 80 are blocked so no RMI servers are accessible
  • Don’t use any of their CKEditor stuff is in use (cftextarea)
  • Make sure CF is running as a user with as little permissions as possible
  • Make sure your datasource login is NOT using sa, but an account with the smallest permissions possible
  • Check your codebase for missing query params
  • Ensure you have pretty error pages, missing template handlers, at every CF and web server level so it’s very hard for anyone to ever see a raw CF error message or to even know you’re using CF
  • And finally, get a license for @pfreitag’s FuseGuard WAF
3 Likes
5

Excellent List! Thank you!

1 Like
6

@dlegate : I will definitely ask there [Adobe Forums] too, but I’ve often found much better responses here. Gee, I wonder why? :rofl:

Hmm, steady now, @dlegate. Be fair. As the six blind men would say, every bit of knowledge contributes to the whole.

1 Like
7

You are absolutely correct, BK, and thank you for your responses on both!