Title

The ColdFusion Administrator Console must transmit only encrypted representations of passwords. (Cat II impact)

Discussion

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. ColdFusion uses username and password for users to authenticate to the Administrator Console. When these credentials are sent in plaintext, an attacker can capture the information and use the credentials to log on to the console, creating objects, connections, and accounts for later use. The attacker will also have access to information stored for connections to other systems that ColdFusion may be connected to for data retrieval.

Check Content

Access the Administrator Console through a web browser. Look for indications that the communication is an https session through the prefix of https on the url and/or the lock icon, depending on the browser in use. If https does not appear to be in use, this is a finding.

Fix Text

Review the documentation for the web server where the Administrator Console is being hosted and setup https encryption to protect passwords during the authentication process.

Additional Identifiers

Rule ID: SV-237192r641671_rule

Vulnerability ID: V-237192

Group Title: SRG-APP-000172-AS-000120

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.