we have security vulnarability found in penetration testing :
Cleartext Storage of Sensitive Information in a Cookie
coldfusion version 11
This app is using base64 encoding for admin console cookies. Base64 encoding is only making it harder to decode, therefore provides only weak protection mechanism. Cookies therefore include admin password. Also as is described in other parts of report this cookie is exchanged via unencrypted channel.
Instead of using base64 encoded plaintext with password use some random string to authenticate valid admin privilege session.
Question - can someone help how to fix this it?
Copy link to clipboard
A suggestion. Open the ColdFusion Administrator and go to Server Settings > Memory Variables. Scroll to the bottom of the page. Select the strongest cookie security settings.