STIGQter: STIG Summary: Adobe ColdFusion 11 Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 26 Jan 2018:

ColdFusion must only allow approved file extensions.

DISA Rule

SV-76895r1_rule

Vulnerability Number

V-62405

Group Title

SRG-APP-000141-AS-000095

Rule Version

CF11-03-000096

Severity

CAT II

CCI(s)

• CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

10

Fix Recommendation

Navigate to the "Settings" page under the "Server Settings" menu. Enter the list of approved file extensions in the "Allowed file extensions for CFInclude tag" field and select the "Submit Changes" button. A blank list will only allow cfm and cfml files to be included and fulfills this requirement.

Check Contents

Within the Administrator Console, navigate to the "Settings" page under the "Server Settings" menu. If "Allowed file extensions for CFInclude tag" is empty, this is not a finding.

If the "Allowed file extensions for CFInclude tag" contains the wildcard string "*.*" or if the list of file extensions is not the list approved by the ISSO, this is a finding.

Vulnerability Number

V-62405

Documentable

False

Rule Version

CF11-03-000096

Severity Override Guidance

Within the Administrator Console, navigate to the "Settings" page under the "Server Settings" menu. If "Allowed file extensions for CFInclude tag" is empty, this is not a finding.

If the "Allowed file extensions for CFInclude tag" contains the wildcard string "*.*" or if the list of file extensions is not the list approved by the ISSO, this is a finding.

Check Content Reference

M

Target Key

2661

Comments