Skip to content

Pentesting ColdFusion

ColdFusion is a programming language and a web application development platform based on Java. It is used to build dynamic and interactive web applications that can be connected to various APIs and databases such as MySQL, Oracle, and Microsoft SQL Server.

ColdFusion Markup Language (CFML) is the proprietary programming language used in ColdFusion to develop dynamic web applications. It has a syntax similar to HTML, making it easy to learn for web developers.

Basic syntaf of ColdFusion Markup Language (CFML)

For instance, the cfquery tag can execute SQL statements to retrieve data from a database:

1
2
3
4
<cfquery name="myQuery" datasource="myDataSource">
  SELECT *
  FROM myTable
</cfquery>

Developers can then use the cfloop tag to iterate through the records retrieved from the database:

1
2
3
<cfloop query="myQuery">
  <p>#myQuery.firstName# #myQuery.lastName#</p>
</cfloop>

Thanks to its built-in functions and features, CFML enables developers to create complex business logic using minimal code. Moreover, ColdFusion supports other programming languages, such as JavaScript and Java, allowing developers to use their preferred programming language within the ColdFusion environment.

ColdFusion also offers support for email, PDF manipulation, graphing, and other commonly used features.

It is available for download from Adobe's website and can be installed on Windows, Mac, or Linux operating systems. ColdFusion applications can also be deployed on cloud platforms like Amazon Web Services or Microsoft Azure.

Exploitability

Like any web-facing technology, ColdFusion has historically been vulnerable to various types of attacks, such as SQL injection, XSS, directory traversal, authentication bypass, and arbitrary file uploads.

Here are a few known vulnerabilities of ColdFusion:

  1. CVE-2021-21087: Arbitrary disallow of uploading JSP source code
  2. CVE-2020-24453: Active Directory integration misconfiguration
  3. CVE-2020-24450: Command injection vulnerability
  4. CVE-2020-24449: Arbitrary file reading vulnerability
  5. CVE-2019-15909: Cross-Site Scripting (XSS) Vulnerability

ColdFusion exposes a fair few ports by default:

Port Number Protocol Description
80 HTTP Used for non-secure HTTP communication between the web server and web browser.
443 HTTPS Used for secure HTTP communication between the web server and web browser. Encrypts the communication between the web server and web browser.
1935 RPC Used for client-server communication. Remote Procedure Call (RPC) protocol allows a program to request information from another program on a different network device.
25 SMTP Simple Mail Transfer Protocol (SMTP) is used for sending email messages.
8500 SSL Used for server communication via Secure Socket Layer (SSL).
5500 Server Monitor Used for remote administration of the ColdFusion server.

Enumeration

Method Description
Port Scanning ColdFusion typically uses port 80 for HTTP and port 443 for HTTPS by default. So, scanning for these ports may indicate the presence of a ColdFusion server. Nmap might be able to identify ColdFusion during a services scan specifically.
File Extensions ColdFusion pages typically use ".cfm" or ".cfc" file extensions. If you find pages with these file extensions, it could be an indicator that the application is using ColdFusion.
HTTP Headers Check the HTTP response headers of the web application. ColdFusion typically sets specific headers, such as "Server: ColdFusion" or "X-Powered-By: ColdFusion", that can help identify the technology being used.
Error Messages If the application uses ColdFusion and there are errors, the error messages may contain references to ColdFusion-specific tags or functions.
Default Files ColdFusion creates several default files during installation, such as "admin.cfm" or "CFIDE/administrator/index.cfm". Finding these files on the web server may indicate that the web application runs on ColdFusion. 
1
searchsploit Coldfusion
Last update: 2025-08-30
Created: June 1, 2025 11:12:15