We have seen some cases where the user is trying to login to ColdFusion administrator console and CF keeps throwing login page again and again even though user has provided valid credentials. We heard users tried doing something like password reset, restarting the server which even didn’t helped solving the issue. So we were curious to find what causing this issue and will discuss some of the issues we came across that occur when attempting to log into the administrator console. […]
ColdFusion 11 added few more security functions to the rich set of coldfusion security functions. Some of them includes protection against XSS using AntiSamy framework, PBKDF2 key derivation etc. In this blog post we will introduce you to the Antisamy and PBKDF2 key derivation functions added in coldfusion Splendor. AntiSamy Support: If there is a need to accept HTML/CSS input from the user then there is high possibility that the input containing XSS. In this case We can not use […]
ColdFusion Enterprise installation includes FIPS compliant RSA BSAFE JCE Crypto Provider. Default algorithm used by this library for random number generation is ECDRBG (A variant of Dual Elliptic Curve). RSA has released an advisory regarding same (ESA-2013-068) listing unsafe random bit generation algorithms. ColdFusion sets the default random number generator algorithm to FIPS186Random (JVM argument -Dcoldfusion.jsafe.defaultalgo=<algorithm>) which is completely safe to use. So good news is by default your ColdFusion 10 installation is secure. Note that CrypotJ libraries are not […]
New security update is available for coldfusion versions 9.0, 9.0.1, 9.0.2 and 10.0. This hotfix addresses the security issues specified in the technote here. Here is the link to the security bulletin for this hotfix. It also includes few important bug fixes for coldfusion 10 as specified here. We recommend locking down your server by following the lock down guide and disable unused features in the production environments.