• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

TeraTech

The ColdFusion Experts: Develop | Secure | Optimize

  • Services
    • Consulting
    • Crash
    • Development
    • Maintenance
    • Modernization
    • Security
  • About Us
  • Testimonials
  • Free Assessment
  • Get in touch!

  • Services
    • Consulting
    • Crash
    • Development
    • Maintenance
    • Modernization
    • Security
  • About Us
  • Testimonials
  • Free Assessment
  • Get in touch!

How One Company Improved Their ColdFusion Security (From Datanapped to Safe)

January 17, 2025 By Michaela Light Leave a Comment

One day a company much like yours -let’s call them “The Company”- called us to get our help with a serious problem. Someone had hacked into to their ColdFusion server and encrypted all of their important data files. Subsequently, The Company received an email asking for $100,000 to decrypt these files. The Company had been both hacked and “datanapped”.

Could this happen to your company?

Contents

  • How Secure is Your ColdFusion Server?
  • A Short Look at The Company’s ColdFusion Security Issues
  • What Were the Main Issues Uncovered in the ColdFusion Security Audit?
  • Should Other Security Issues be Explored?
  • Wrapping Up and Going Forward with ColdFusion Security

How Secure is Your ColdFusion Server?

These are some of the problems you can experience with an insecure ColdFusion server:

  • After a breach, personnel job security goes into rapid decline

  • If you are datanapped, monetary demands may be excessively high

  • Your customer’s sensitive data could be posted in the Darknet for scamming purposes

  • If news of the breach goes public, company PR will be damaged

  • The scope of the problem may be far greater than one particular system

  • Your CF site slows/crashes due to hackers using the server for spam email sending

Now let’s find out some background from The Company and see if we can gain some insight into the problem.

A Short Look at The Company’s ColdFusion Security Issues

When we arrived at The Company, it was chaos. People were scrambling and unsure of how to handle the situation.

We set up our team and accessed their server. One of the first things we noticed is that regular interval maintenance had not been completed.  Tasks such as applying security patches and updates were still needing to be done.

The hackers had infiltrated most of the areas of the ColdFusion server.  They had been inside the system for over six months! Many of the server’s systems were affected including the central database.

In addition, the hackers had been using The Company’s CF server to send out an enormous amount of SPAM. In fact, that spam is how The Company finally noticed they had been hacked because it was slowing down the server performance greatly. The hacker’s presence also affected The Company’s email deliverability due to their SMTP server being blacklisted.

What Were the Main Issues Uncovered in the ColdFusion Security Audit?

As part of the initial security audit, we looked at the following issues:

  • Scanned the server for security holes

  • Reviewed the server configuration for security

  • Reviewed the ColdFusion configuration for security

  • Reviewed database configuration for security

  • Tuned ColdFusion, database, and server configuration for high security

After audit, we recognized that we had to do something about the files that had been datanapped and repairing the affected systems. A quick check revealed that they had been doing regular backups. Instead of paying the hackers, an older backup of the files was applied to the system after all traces of the hackers’ presence was gone.

Upon finishing repairs, we turned our sights to preventing this event from ever happening again. We looked at a sample of code for security holes and made recommendations for future prevention best practices. Our team recommended continuing server backups and implementing a scheduled plan for future updates and security patches.

As Pete Freitag says in episode 020 of the ColdFusion Alive Podcast, “Secrets of High-Security ColdFusion Code”:

“Why should someone even care about the security in their ColdFusion code? It's something that's a very important topic. If you've got security vulnerabilities within your code base–eventually at some point if you don't address them– you might find out the hard way; which is a really horrible thing to have to go through. Having somebody hack your server and all the potential things that they might be able to do.

It could be deleting important assets that are difficult to recover; corrupted databases that might be very difficult to restore back to a reasonable state. There's just all sorts of things that an attacker could potentially do to your applications, and they can really be a costly problem for you to recover from.”

Should Other Security Issues be Explored?

One of the ways the hackers gained access to The Company’s database was through SQL Injection. SQL Injection is the placement of malicious code in SQL statements. This is one of the most common issues our clients have reported to us here at TeraTech and to others. David Epler touches on this in his webinar, “ColdFusion Security and Web Hacking Tools”.

Consider the story of Lauri Love, a British hacker who infiltrated many U.S. government ColdFusion servers using SQL Injection.  This can give you an idea of how widespread the use of SQL Injection is by hackers.

Your ColdFusion servers can be protected by using CFQueryParam in SQL queries and remaining vigilant!

Related: Top 5 Security Issues Solved with Adobe ColdFusion 2018

Wrapping Up and Going Forward with ColdFusion Security

Just like we told The Company, there are ways you can learn best practices and troubleshooting for your ColdFusion server. Charlie Arehart’s  “ColdFusion Troubleshooting Blog” is a great resource to do just that.

After solving the issues at The Company, we were able to set them up on a plan to success. This plan included CFML best practices for security and regular maintenance/updates of their ColdFusion server. Their server is now secure.

Don’t let the same thing happen to your company.  Follow the advice above and learn from The Company’s unfortunate situation.

Your ColdFusion server security and business depend on it!

Related: Adobe ColdFusion Comprehensive Guide (More Powerful, More Modernized, More Alive)

And to continue learning how to make your ColdFusion apps more modern and alive, I encourage you to download our free ColdFusion Alive Best Practices Checklist.

Because… perhaps you are responsible for a mission-critical or revenue-generating CF application that you don’t trust 100%, where implementing new features is a painful ad-hoc process with slow turnaround even for simple requests.

What if you have no contingency plan for a sudden developer departure or a server outage? Perhaps every time a new freelancer works on your site, something breaks. Or your application availability, security, and reliability are poor.

And if you are depending on ColdFusion for your job, then you can’t afford to let your CF development methods die on the vine.

You’re making a high-stakes bet that everything is going to be OK using the same old app creation ways in that one language — forever.

All it would take is for your fellow CF developer to quit or for your CIO to decide to leave the (falsely) perceived sinking ship of CFML and you could lose everything—your project, your hard-won CF skills, and possibly even your job.

Luckily, there are a number of simple, logical steps you can take now to protect yourself from these obvious risks.

No Brainer ColdFusion Best Practices to Ensure You Thrive No Matter What Happens Next

ColdFusion Alive Best Practices Checklist

ColdFusion Alive Best Practices Checklist

Modern ColdFusion development best practices that reduce stress, inefficiency, project lifecycle costs while simultaneously increasing project velocity and innovation.

√ Easily create a consistent server architecture across development, testing, and production

√ A modern test environment to prevent bugs from spreading

√ Automated continuous integration tools that work well with CF

√ A portable development environment baked into your codebase… for free!

 

Learn about these and many more strategies in our free ColdFusion Alive Best Practices Checklist.

 

 

Michaela Light is the host of the CF Alive Podcast and has interviewed more than 100 ColdFusion experts. In each interview, she asks "What Would It Take to make CF more alive this year?" The answers still inspire her to continue to write and interview new speakers.

Michaela has been programming in ColdFusion for more than 20 years. She founded TeraTech in 1989. The company specializes in ColdFusion application development, security and optimization. She has also founded the CFUnited Conference and runs the annual State of the CF Union Survey.

  • Facebook
  • Twitter
  • LinkedIn

Filed Under: ColdFusion Security Tagged With: ColdFusion code

← Previous Post ColdFusion Alive Revolution
Next Post → 103 Cool Lucee CFML (GigaBytes file parsing and more) with Gert Franz

Primary Sidebar

Popular podcast episodes

  • Revealing ColdFusion 2021 – Rakshith Naresh
  • CF and Angular – Nolan Erck
  • Migrating legacy CFML – Nolan Erck
  • Adobe API manager – Brian Sappey
  • Improve your CFML code – Kai Koenig

CF Alive Best Practices Checklist

Modern ColdFusion development best practices that reduce stress, inefficiency, project lifecycle costs while simultaneously increasing project velocity and innovation.

Get your checklist

Top articles

  • CF Hosting (independent guide)
  • What is Adobe ColdFusion
  • Is Lucee CFML now better than ACF?
  • Is CF dead?
  • Learn CF (comprehensive list of resources)

Recent Posts

  • 141 Into The Box 2025 ColdFusion conference (all the details) with Daniel Garcia – Transcript
  • 141 Into The Box 2025 ColdFusion conference (all the details) with Daniel Garcia
  • 107 ColdFusion 2021 Revealing Details on How it was Created with Rakshith Naresh
  • The Legacy Continues: ColdFusion Summit East Conference Edition
  • 140 BoxLang modern JVM language that runs CFML code (new CFML engine and much more) with Luis Majano and Brad Wood – Transcript

Categories

  • Adobe ColdFusion 11 and older
  • Adobe ColdFusion 2018
  • Adobe ColdFusion 2020 Beta
  • Adobe ColdFusion 2021
  • Adobe ColdFusion 2023
  • Adobe ColdFusion 2024
  • Adobe ColdFusion 2025
  • Adobe ColdFusion Developer week
  • Adobe ColdFusion Project Stratus
  • Adobe ColdFusion Summit
  • AWS
  • BoxLang
  • CF Alive
  • CF Alive Podcast
  • CF Camp
  • CF Tags
  • CF Vs. Other Languages
  • CFEclipse
  • CFML
  • CFML Open- Source
  • CFUnited
  • ColdBox
  • ColdFusion and other news
  • ColdFusion Community
  • ColdFusion Conference
  • ColdFusion Consulting
  • ColdFusion Developer
  • ColdFusion Development
  • ColdFusion Hosting
  • ColdFusion Maintenance
  • ColdFusion Performance Tuning
  • ColdFusion Projects
  • ColdFusion Roadmap
  • ColdFusion Security
  • ColdFusion Training
  • ColdFusion's AI
  • CommandBox
  • Docker
  • Fixinator
  • Frameworks
  • Fusebox
  • FusionReactor
  • IntoTheBox Conference
  • Java
  • JavaScript
  • JVM
  • Learn CFML
  • Learn ColdFusion
  • Legacy Code
  • Load Testing
  • Lucee
  • Mindmapping
  • MockBox
  • Modernize ColdFusion
  • Ortus Developer Week
  • Ortus Roadshow
  • Server Crash
  • Server Software
  • Server Tuning
  • SQL
  • Survey
  • Survey results
  • TestBox
  • Transcript
  • Webinar
  • Women in Tech

TeraTech

  • About Us
  • Contact

Services

  • Free assessment
  • Consulting
  • Crash
  • Development
  • Maintenance
  • Modernization
  • Security
  • Case Studies

Resources

  • CF Alive Book
  • CF Alive Podcast
    • Podcast Guest Schedule
  • TeraTech Blog
  • CF Alive resources
  • CF e-course
  • CF best practice checklist

Community

  • CF Alive
  • CF Inner Circle
  • CF Facebook Group

TeraTech Inc
451 Hungerford Drive Suite 119
Rockville, MD 20850

Tel : +1 (301) 424 3903
Fax: +1 (301) 762 8185

Follow us on Facebook Follow us on LinkedIn Follow us on Twitter Follow us on Pinterest Follow us on YouTube



Copyright © 1998–2025 TeraTech Inc. All rights Reserved. Privacy Policy.