Securing a Legacy ColdFusion Application
Prioritize containment, remove common application vulnerabilities, and recognize the security limits of an unsupported MX-era platform.
Containment Comes First
- Inventory the application, server, data, integrations, and users.
- Remove direct public access where possible.
- Place a current proxy and firewall policy in front of the legacy server.
- Restrict Administrator, RDS, management ports, database access, and file shares.
- Back up the database, application files, uploaded content, and configuration.
- Enable centralized logging and alerting.
- Plan migration to a supported runtime.
SQL Injection
<!--- Vulnerable --->
<cfquery name="customer" datasource="support_portal">
SELECT id, name
FROM customers
WHERE id = #url.id#
</cfquery>
<!--- Parameterized --->
<cfquery name="customer" datasource="support_portal">
SELECT id, name
FROM customers
WHERE id = <cfqueryparam value="#Val(url.id)#" cfsqltype="cf_sql_integer">
</cfquery>
Cross-Site Scripting
<!--- Unsafe ---> <cfoutput>#url.message#</cfoutput> <!--- HTML text context ---> <cfoutput>#HTMLEditFormat(url.message)#</cfoutput>
Encoding is context-specific. A value placed in HTML, an attribute, JavaScript, a URL, or CSS may require a different strategy. Redesign risky inline JavaScript rather than relying on one generic encoding function.
Path Traversal and File Disclosure
<!--- Unsafe --->
<cffile action="read" file="#ExpandPath('./docs/' & url.file)#" variable="documentText">
<!--- Better pattern: look up a server-controlled path by numeric ID. --->
<cfquery name="document" datasource="support_portal" maxrows="1">
SELECT storage_name
FROM documents
WHERE id = <cfqueryparam value="#Val(url.id)#" cfsqltype="cf_sql_integer">
</cfquery>
Dangerous Uploads
- Store outside the web root.
- Generate the stored filename.
- Limit size and allowed business formats.
- Inspect actual content, not only extension or browser MIME type.
- Scan before release.
- Serve through an authorization-controlled download action.
- Ensure the upload directory cannot execute CFML, ASP, PHP, CGI, or scripts.
Administrator and CFIDE Exposure
Audit whether /CFIDE/administrator, documentation, examples, RDS endpoints, and other administrative paths are reachable. Management interfaces should be limited to a trusted administrative network or removed from the public site mapping.
Credentials and Secrets
Search source, includes, scheduled-task URLs, datasource definitions, registry exports, backup archives, and deployment scripts for passwords and API keys. Rotate exposed secrets rather than simply moving them to another file.
Authentication Weaknesses
- Plaintext or fast unsalted password hashes
- No session identifier rotation after login
- Session identifiers in URLs
- No account lockout or rate limiting
- Authorization enforced only by hiding links
- Password-reset tokens with weak randomness or no expiration
- Cookies lacking secure transport protections
Database Least Privilege
A public application usually should not connect as a database administrator or schema owner. Separate read/write application access from migration or administrative credentials.
Compensating Controls While Migrating
Network
- Current WAF/reverse proxy
- IP restrictions
- Outbound allowlist
- Database network isolation
Application
- Parameterize queries
- Encode output
- Add CSRF tokens
- Restrict uploads
Identity
- External SSO gateway where practical
- MFA at the proxy/VPN layer
- Short session lifetimes
- Privilege review
Operations
- Central logs
- File-integrity monitoring
- Backups and restore tests
- Incident response plan