Due to many politics and things out of my control here, we will be continuing running a public production CF 11 host with no end date in sight. (which is part of those politics - they actually appear to want it to fail)
Since it is unsupported and will never be updated, I’m just wondering if there are mitigation steps I can take to ensure even known issues are not available to hackers?
Any extraneous services, packages, etc. I can make sure are off/removed, etc.?
Appreciate everyone’s feedback.
This is a Lucee forum. We can help you convert that app to run on Lucee (probably not much work). Otherwise, I’d recommend asking this on the Adobe forums.
Oh trust me, I have a Lucee replacement ready-to-go once (if) the politics clear.
I will definitely ask there too, but I’ve often found much better responses here. Gee, I wonder why?
Good work. I’d go ahead and accidentally deploy that to prod. They won’t even know
As far as the answer to your original question, here’s a quick list:
- Ensure the CF Admin is not publicly accessible (SUPER IMPORTANT)
- Get on the latest version of java 8 at least
- Check for and remove any usage of XML parsing if you can (or at least ensure the XML doesn’t come from users-- this can include office files in XML format)
- Be wary of any other CFIDE access such as ajax scripts, cfimage paths, cfchart parths. I’d block anything you’re not using
- Make sure all firewall ports other than 80 are blocked so no RMI servers are accessible
- Don’t use any of their CKEditor stuff is in use (cftextarea)
- Make sure CF is running as a user with as little permissions as possible
- Make sure your datasource login is NOT using
sa, but an account with the smallest permissions possible
- Check your codebase for missing query params
- Ensure you have pretty error pages, missing template handlers, at every CF and web server level so it’s very hard for anyone to ever see a raw CF error message or to even know you’re using CF
- And finally, get a license for @pfreitag’s FuseGuard WAF
Excellent List! Thank you!
@dlegate : I will definitely ask there [Adobe Forums] too, but I’ve often found much better responses here. Gee, I wonder why?
Hmm, steady now, @dlegate. Be fair. As the six blind men would say, every bit of knowledge contributes to the whole.
You are absolutely correct, BK, and thank you for your responses on both!