Title

ColdFusion must store only encrypted representations of passwords. (Cat II impact)

Discussion

Applications must enforce password encryption when storing passwords. Passwords need to be protected at all times and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read and easily compromised. Application servers provide either a local user store or they integrate with enterprise user stores like LDAP. When ColdFusion is responsible for creating or storing passwords, ColdFusion must enforce the storage of encrypted representations of passwords.

Check Content

Verify Proxy Settings. From the Admin Console Landing Screen, navigate to Server Settings >> Settings. If a "Proxy Host" is provided with a "Proxy Username" and "Proxy Password", this is a finding.

Fix Text

Configure Proxy Settings. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Settings. 2. Clear the "Proxy Host", Proxy UserName", and "Proxy Password" fields. 3. Select "Submit Changes".

Additional Identifiers

Rule ID: SV-279057r1171529_rule

Vulnerability ID: V-279057

Group Title: SRG-APP-000171-AS-000119

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.