Adobe® ColdFusion® 10 Server Lockdown Guide
Adobe® ColdFusion® 10 Server Lockdown Guide
Adobe® ColdFusion® 10 Server Lockdown Guide
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
4.1.6 Update Java Virtual Machine<br />
The Java Virtual Machine included with the ColdFusion installer may not be the latest JVM supported by<br />
Adobe ColdFusion <strong>10</strong>, or it may contain security issues. Download the JVM from java.oracle.com.<br />
4.1.7 Block Unused file types<br />
ColdFusion provides a number of capabilities that are not used commonly which can be blocked. A good<br />
example of this is JSP file execution. Here is a list of file extensions that ColdFusion handles by default:<br />
File Extensions that usually can be blocked (check with developers first):<br />
Purpose Safe to Block<br />
Executes CFML templates<br />
(same as .cfm files)<br />
The .cfml file is not typically used by<br />
developers, if you don’t use .cfml block this file<br />
extension.<br />
Java<strong>Server</strong> Pages Yes, if your applications do not require JSP.<br />
Java Web Services - allows you<br />
to easily write and deploy SOAP<br />
web services in Java similar to a<br />
CFC.<br />
Yes if not used.<br />
Hybernate XML mappings Yes this should be blocked.<br />
A more robust solution is to specify a whitelist of allowed file extensions, and block the rest. For example allow<br />
only .cfm .css .js .png .html .jpg and block anything else. Your application may require additional extensions.<br />
46