ColdFusion Installed By Default? And CGI? And Even If It Were True …? Some Expert!

Shelley Bard is a security expert, or at least that is what her bio suggests. But, well, you decide. Her new article on recommends “Check for Web server vulnerabilities no less than monthly; update your Web server security policy annually or each time you upgrade or patch.” Ok, that is a pretty safe statement, I am not sure that I completely buy it, but it’s safe. She then adds “Web servers are your organization’s public face and provide an easy way into your network. All Web servers have associated security issues, some more than others.”. Now that I buy, very true. But then things go downhill quickly. “Many Web servers come with sample Common Gateway Interface (CGI) programs installed by default, like ColdFusion, which can be used to execute malicious commands.” Whoa, slow down there. ColdFusion installed by default? On many Web servers? Default, as in it may be lurking and doing damage without even being aware of it? And CGI? And even if it were true, what does a program being implemented via CGI (as opposed to a server API) have anything to do with it? The sad thing is that some of Ms. Bard’s comments and suggestions are valid and legitimate, but the message gets lost amidst the generalities and inaccuracies. The article is at,289483,sid14_gci1013416,00.html.

11 responses to “ColdFusion Installed By Default? And CGI? And Even If It Were True …? Some Expert!”

  1. Devin Avatar

    i’m guessing she really means asp/.net installed by default on windows o/s. what a crazy mixup!

  2. Adam Avatar

    I also like how she mentions that you should secure Windows Servers as well, and then only goes on to describe security procedures for Unix systems.
    It’s scary to see her suggest that people should consider whether they actually need CGI/ColdFusion/ASP programs. If you’re running your own dedicated server and you’re hosting only static content, you’re really missing the point.

  3. Darrell Johnson Avatar
    Darrell Johnson

    Yes, I sent that "Security" site a some feedback encouraging them to do a better job screening their authors "expertise"

  4. Damien Avatar

    That’s the wonderful thing about life – its the self-professed experts that everyone listens to because they can use the correct proportions of scare tactics and technobable to persuade anyone. Hell, just look at how medicine is handled these days.

  5. Micha Schopman Avatar
    Micha Schopman

    Unbelievable, seriously. Authors writing such articles show they have unsufficient experience in the area and should not globally consult on websites like security focus (and this website HAS an impact on daily ICT Management nowadays).
    What wonders me is how the standard content workflow rules for the website failed (I presume they have one) for this specific article. Hasn’t anyone reviewed it before putting it into a live status.

  6. Kola Oyedeji Avatar
    Kola Oyedeji

    Perhaps she was referring to earlier versions of coldfusion which also allowed coldfusion to be called from the command line?

  7. Andrei Oprea Avatar
    Andrei Oprea

    The scary part:
    "Shelley Bard, CISSP, CISM, is a senior security network engineer with Verizon Federal Network Systems (FNS). An information security professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia."

  8. Kay Smoljak Avatar
    Kay Smoljak

    Wow, I wish that I had ColdFusion installed by default on all my servers. That would be really handy 🙂

  9. Abhijit Avatar

    I’ve come across a few other misinformed so called "Security Experts" who have some sort of bias against Coldfusion. I find it really disappointing when people make statements like that without even doing some basic homework.

  10. Ed Avatar

    We all know technical people don’t have great interpersonal skills. As evidenced, by the comments posted above.
    I don’t see how this makes for a worthy CF post. I mean come on, is CF so dead that this is all we talk about?
    What she probably meant, are these nearly identical sentences.
    "Many Web servers come with sample programs installed by default. Common Gateway Interface (CGI), like ColdFusion, can be used to execute malicious commands."
    We all remember Allaire’s classic screw-up where the sample applications being installed on a production server could allow hackers to run code to upload/delete files. A warning might be nice… Way to go Cold Fusion security!
    The fact of the matter is CF dumbs-down web development in favor of rapid application development. Thus allowing XSS to occur more frequently that say J2EE and .NET (yes, it’s true).
    The potenital to have CF run code maliciously is what she really meant. We all know CF will never be a widely used product again (again, yes, it’s true)

  11. Andy Sandefer Avatar
    Andy Sandefer

    I’ve had the misfortune of reading this author on more than one occasion. Ben, as usual you’re being too damn nice here.
    She has proven to me that she usually writes as a true generalist who is obviously bullshitting her way through those nasty little things called technical details article after article. I hate to seem like such a freak but this is the Nth time that I’ve come across a blog pointing out a mistake that this chic is spreading to influential people who already have a lack of detailed knowledge – that’s right – IT Managers are the folks who have the time to read this stuff and they also get bombarded with free publications everyday as well.

Leave a Reply