Title

ColdFusion must have ColdFusion component (CFC) type checking enabled. (Cat II impact)

Discussion

Invalid user input occurs when a user inserts data or characters into an application's data entry field and the application is unprepared to process that data. This results in unanticipated application behavior, potentially leading to an application or information system compromise. Invalid user input is one of the primary methods employed when attempting to compromise an application. Invalid input can also occur within applications to ColdFusion components. The parameters can be input from users that are not properly type checked or from data computed within the application. When the data is not type checked, the receiving component may cause an error that is unhandled or throw an exception that puts the application server and/or hosted application into an unsecure posture. To limit invalid calls, ColdFusion component (CFC) type checking must be disabled.

Check Content

Within the Administrator Console, navigate to the "Settings" page under the "Server Settings" menu. If the "Disable CFC Type check" is checked, this is a finding.

Fix Text

Navigate to the "Settings" page under the "Server Settings" menu. Uncheck "Disable CFC Type check" and select the "Submit Changes" button.

Additional Identifiers

Rule ID: SV-237232r641791_rule

Vulnerability ID: V-237232

Group Title: SRG-APP-000447-AS-000273

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.