CF 2016 showing wrong version number

Report · May 16, 2017

I have a vulnerability scanner that is showing our CF version as version 6. But I do not have version 6 installed. it is actually version 2016.

its saying its finding it here

http://servername:8500/CFIDE

any assistance, besides just forwarding me an 80 page document, would be appreciated

thank you!

Report · May 17, 2017

What vulnerability scanner? I would say its not a very good one. You have 2016 installed, its probably a very out of date scanner just assuming this url is CF 6.

I don't think any assistance can be given here really. The only question would be did you upgrade from version 6?

Otherwise you will need to find another scanner or talk to the scanner vendor.

Report · May 17, 2017

Its a relatively decent in terms of scanners go. But. I guess what I'm trying to figure out is, what is under the folder its looking in (the CFIDE folder via port 8500) that would report back to it a version number? its false positive but still...what IS it looking at?

Report · May 18, 2017

You should really follow a lockdown guide (http://wwwimages.adobe.com/content/dam/acom/en/products/coldfusion/pdfs/coldfusion-2016-lockdown-gui... This way there would be no access.

I dont think there is anything that would give away the version other then something on the login screen like the logo. The scanner might just be assuming that because the URL exists on that port, thats its CF 6. Which is why I mentioned it not being very good.

Report · May 18, 2017

Ok, thank you!!

Yea, it isnt really that intelligent.

CF 2016 showing wrong version number

1 Correct answer