Attacking ColdFusion

Via The Hacker Webzine -

ColdFusion is an application server and software development framework used for the development of web-based applications[1]. ColdFusion is a similar product to Microsoft ASP.NET, JavaServer Pages or PHP. It's syntax is tag-based, and almost resembles HTML or XML like-structure which is very easy to learn and can be quickly adopted by web designers, to create database driven applications without much knowledge of programming. Since ColdFusion isn't very well known by many, as an end result, there are very few published hacks for them. This article goes deeper into ColdFusion and it's limitations and vulnerabilities that attackers can exploit. I mainly focus on the inner workings of ColdFusion, SQL Injection and information gathering. I can't really give an explanation why ColdFusion isn't very well researched by the security industry, but my hunch is that many believe that few websites use it. I worked with ColdFusion a few times back in 2002, and their user base has explosively grown since then. According to a Google query[2][3] learns that at least 500 million pages run ColdFusion on either standalone, IIS, Apache, or on Solaris. Since ColdFusion has a huge user base by now, It is inevitable that it will become an interesting landscape for attack and caution.