ColdFusion must be configured with secure and approved server settings to enforce application hardening, input validation, error handling, and protection against common web vulnerabilities.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279050	SRG-APP-000141-AS-000095	APAS-CF-000265	SV-279050r1171521_rule	2025-12-19	1

Description
ColdFusion Server Settings must be securely configured to enforce application hardening, prevent misuse of functionality, and protect against common web application vulnerabilities. These settings control critical behaviors, including request timeouts, file inclusion, POST limits, script protection, error handling, and access to internal Java components. If these settings are not properly configured according to documented security guidelines and performance parameters, ColdFusion may be exposed to a variety of threats. Improper request throttling or POST limits can lead to denial-of-service conditions, while excessive output buffer sizes and unfiltered file uploads can result in resource exhaustion or exploitation of the file system. Enabling features such as debug output, remote inspection, or detailed exception information may disclose internal logic, configuration details, or sensitive data to unauthorized users. Allowing overly permissive file inclusion or attribute handling introduces the risk of injection attacks or unintended code execution. Using default, insecure, or unnecessary feature violates secure configuration principles and increases the application's attack surface. Ensuring ColdFusion is configured with approved and secure server settings helps maintain proper access control, input validation, error handling, and system resilience, ultimately reducing the risk of compromise or misuse. Satisfies: SRG-APP-000141-AS-000095, SRG-APP-000211-AS-000146, SRG-APP-000223-AS-000150, SRG-APP-000266-AS-000168, SRG-APP-000380-AS-000088, SRG-APP-000435-AS-000163, SRG-APP-000441-AS-000258, SRG-APP-000447-AS-000273, SRG-APP-000516-AS-000237

Description

ColdFusion Server Settings must be securely configured to enforce application hardening, prevent misuse of functionality, and protect against common web application vulnerabilities. These settings control critical behaviors, including request timeouts, file inclusion, POST limits, script protection, error handling, and access to internal Java components. If these settings are not properly configured according to documented security guidelines and performance parameters, ColdFusion may be exposed to a variety of threats. Improper request throttling or POST limits can lead to denial-of-service conditions, while excessive output buffer sizes and unfiltered file uploads can result in resource exhaustion or exploitation of the file system. Enabling features such as debug output, remote inspection, or detailed exception information may disclose internal logic, configuration details, or sensitive data to unauthorized users. Allowing overly permissive file inclusion or attribute handling introduces the risk of injection attacks or unintended code execution. Using default, insecure, or unnecessary feature violates secure configuration principles and increases the application's attack surface. Ensuring ColdFusion is configured with approved and secure server settings helps maintain proper access control, input validation, error handling, and system resilience, ultimately reducing the risk of compromise or misuse. Satisfies: SRG-APP-000141-AS-000095, SRG-APP-000211-AS-000146, SRG-APP-000223-AS-000150, SRG-APP-000266-AS-000168, SRG-APP-000380-AS-000088, SRG-APP-000435-AS-000163, SRG-APP-000441-AS-000258, SRG-APP-000447-AS-000273, SRG-APP-000516-AS-000237

ℹ️ Check
Verify Server Settings. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Settings. If "Timeout Requests after seconds" is not set to "5" or is not set in accordance with the documented tuning parameters, this is a finding. If "Disable access to internal ColdFusion Java components" is unchecked, this is a finding. If "Allow REST Discovery" is checked, this is a finding. 2. Review the "Allow Extra Attributes in AttributeCollection" setting. If the nonstandard attributes are allowed to be passed to ColdFusion tags, this is a finding. If "Allowed file extensions for CFInclude tag" is empty, this is not a finding. If "Allowed file extensions for CFInclude tag" contains the wildcard string "." or if the list of file extensions is not the list approved by the ISSO, this is a finding. If "Disable creation of unnamed applications" is unchecked, this is a finding. If "Use UUID for cftoken" is not checked, this is a finding. If "Allow adding application variables to Servlet Context" is checked, this is a finding. If "Check configuration files for changes every" is checked, this is a finding. If "Maximum number of POST request parameters" is not set to "50" or is not set in accordance with documented tuning parameters, this is a finding. If the "Maximum Output Buffer Size" is set to a number larger than 1024, this is a finding. If the "Max Unzip Ratio" is set to a number larger than 100, this is a finding. If the "Request Throttle Threshold" is set to a number larger than 4, this is a finding. If the "Disable CFC Type check" is checked, this is a finding. If the "Prefix serialized JSON with" is unchecked, this is a finding. If the "Enable Global Script Protection" is unchecked, this is a finding. If the "Default ScriptSrc Directory" is set to /cf_scripts/scripts/", this is a finding. 3. Review the "Use UUID for cftoken" setting. If the cftoken is not configured to use UUID, this is a finding. 4. Review the "Prefix serialized JSON with" setting. If a prefix is not configured for JSON, this is a finding. 5. Review the "Blocked file extensions for CFFile uploads" setting. If no file extensions are set to be blocked, this is a finding. 6. Validate that the "Missing Template Handler" setting is not blank and that the template specified is a valid. If the "Missing Template Handler" parameter is blank this is a finding. 7. Validate that the template exists. The path and file given are relevant to the web servers' document root directory and not the OS root directory. (Example: If the web servers' document root is /opt/webserver/wwwroot and the "Missing Template Handler" is set to /CFIDE/administrator/templates/missing_template_error.cfm, the full path to the template file is /opt/webserver/wwwroot/CFIDE/administrator/templates/missing_template_error.cfm.) If the "Missing Template Handler" setting is not a valid file, this is a finding. 8. Validate that the "Site-wide Error Handler" setting is not blank and that the template specified is valid. If the "Site-wide Error Handler" parameter is blank, this is a finding. 9. Validate that the template exists. The path and file given are relevant to the web servers' document root directory and not the OS root directory. (Example: If the web server's document root is /opt/webserver/wwwroot and the "Site-wide Error Handler" is set to /CFIDE/administrator/templates/secure_profile_error.cfm, the full path to the template file is /opt/webserver/wwwroot/CFIDE/administrator/templates/secure_profile_error.cfm.) If the "Site-wide Error Handler" setting is not a valid file, this is a finding.

ℹ️ Check

Verify Server Settings. 1. From the Admin Console Landing Screen, navigate to Server Settings >> Settings. If "Timeout Requests after seconds" is not set to "5" or is not set in accordance with the documented tuning parameters, this is a finding. If "Disable access to internal ColdFusion Java components" is unchecked, this is a finding. If "Allow REST Discovery" is checked, this is a finding. 2. Review the "Allow Extra Attributes in AttributeCollection" setting. If the nonstandard attributes are allowed to be passed to ColdFusion tags, this is a finding. If "Allowed file extensions for CFInclude tag" is empty, this is not a finding. If "Allowed file extensions for CFInclude tag" contains the wildcard string "*.*" or if the list of file extensions is not the list approved by the ISSO, this is a finding. If "Disable creation of unnamed applications" is unchecked, this is a finding. If "Use UUID for cftoken" is not checked, this is a finding. If "Allow adding application variables to Servlet Context" is checked, this is a finding. If "Check configuration files for changes every" is checked, this is a finding. If "Maximum number of POST request parameters" is not set to "50" or is not set in accordance with documented tuning parameters, this is a finding. If the "Maximum Output Buffer Size" is set to a number larger than 1024, this is a finding. If the "Max Unzip Ratio" is set to a number larger than 100, this is a finding. If the "Request Throttle Threshold" is set to a number larger than 4, this is a finding. If the "Disable CFC Type check" is checked, this is a finding. If the "Prefix serialized JSON with" is unchecked, this is a finding. If the "Enable Global Script Protection" is unchecked, this is a finding. If the "Default ScriptSrc Directory" is set to /cf_scripts/scripts/", this is a finding. 3. Review the "Use UUID for cftoken" setting. If the cftoken is not configured to use UUID, this is a finding. 4. Review the "Prefix serialized JSON with" setting. If a prefix is not configured for JSON, this is a finding. 5. Review the "Blocked file extensions for CFFile uploads" setting. If no file extensions are set to be blocked, this is a finding. 6. Validate that the "Missing Template Handler" setting is not blank and that the template specified is a valid. If the "Missing Template Handler" parameter is blank this is a finding. 7. Validate that the template exists. The path and file given are relevant to the web servers' document root directory and not the OS root directory. (Example: If the web servers' document root is /opt/webserver/wwwroot and the "Missing Template Handler" is set to /CFIDE/administrator/templates/missing_template_error.cfm, the full path to the template file is /opt/webserver/wwwroot/CFIDE/administrator/templates/missing_template_error.cfm.) If the "Missing Template Handler" setting is not a valid file, this is a finding. 8. Validate that the "Site-wide Error Handler" setting is not blank and that the template specified is valid. If the "Site-wide Error Handler" parameter is blank, this is a finding. 9. Validate that the template exists. The path and file given are relevant to the web servers' document root directory and not the OS root directory. (Example: If the web server's document root is /opt/webserver/wwwroot and the "Site-wide Error Handler" is set to /CFIDE/administrator/templates/secure_profile_error.cfm, the full path to the template file is /opt/webserver/wwwroot/CFIDE/administrator/templates/secure_profile_error.cfm.) If the "Site-wide Error Handler" setting is not a valid file, this is a finding.

✔️ Fix
Configure Server Settings. 1. Set "Timeout Requests after seconds" to "5" or adjust according to documented tuning parameters. 2. Check the box to disable access to internal ColdFusion Java components. 3. Uncheck "Allow REST Discovery" if it is currently checked. 4. Review and disallow nonstandard attributes from being passed to ColdFusion tags. 5. Ensure "Allowed file extensions for CFInclude tag" is not empty and does not contain "." unless approved by the information system security officer (ISSO). 6. Check the box to disable creation of unnamed applications. 7. Check the box to use UUID for cftoken. 8. Uncheck "Allow adding application variables to Servlet Context". 9. Uncheck "Check configuration files for changes every". 10. Set "Maximum number of POST request parameters" to "50" or adjust according to documented tuning parameters. 11. Set "Maximum Output Buffer Size" to "1024" or lower. 12. Set "Max Unzip Ratio" to "100" or lower. 13. Set "Request Throttle Threshold" to "4" or lower. 14. Uncheck "Disable CFC Type check". 15. Check the box to prefix serialized JSON. 16. Check the box to enable Global Script Protection. 17. Set "Default ScriptSrc Directory" to a directory other than "/cf_scripts/scripts/". 18. Ensure that "Use UUID for cftoken" is configured to use UUID. 19. Ensure that a prefix is configured for JSON serialization. 20. Ensure that file extensions are appropriately blocked as per policy. 21. Ensure that "Missing Template Handler" is not blank and specifies a valid template path. 22. Ensure that "Site-wide Error Handler" is not blank and specifies a valid template path. 23. Select "Submit Changes".

✔️ Fix

Configure Server Settings. 1. Set "Timeout Requests after seconds" to "5" or adjust according to documented tuning parameters. 2. Check the box to disable access to internal ColdFusion Java components. 3. Uncheck "Allow REST Discovery" if it is currently checked. 4. Review and disallow nonstandard attributes from being passed to ColdFusion tags. 5. Ensure "Allowed file extensions for CFInclude tag" is not empty and does not contain "." unless approved by the information system security officer (ISSO). 6. Check the box to disable creation of unnamed applications. 7. Check the box to use UUID for cftoken. 8. Uncheck "Allow adding application variables to Servlet Context". 9. Uncheck "Check configuration files for changes every". 10. Set "Maximum number of POST request parameters" to "50" or adjust according to documented tuning parameters. 11. Set "Maximum Output Buffer Size" to "1024" or lower. 12. Set "Max Unzip Ratio" to "100" or lower. 13. Set "Request Throttle Threshold" to "4" or lower. 14. Uncheck "Disable CFC Type check". 15. Check the box to prefix serialized JSON. 16. Check the box to enable Global Script Protection. 17. Set "Default ScriptSrc Directory" to a directory other than "/cf_scripts/scripts/". 18. Ensure that "Use UUID for cftoken" is configured to use UUID. 19. Ensure that a prefix is configured for JSON serialization. 20. Ensure that file extensions are appropriately blocked as per policy. 21. Ensure that "Missing Template Handler" is not blank and specifies a valid template path. 22. Ensure that "Site-wide Error Handler" is not blank and specifies a valid template path. 23. Select "Submit Changes".