As most folks have undoubtedly heard by now, the number of hacks against vulnerable ColdFusion servers has increased exponentially, including high profile breaches such as the Department of Energy and Washington state’s court. This article by Information Week goes into more detail.
This of course means that any servers running older versions of ColdFusion will remain vulnerable to attack indefinitely as there will never be any new patches or updates to fix those vulnerabilities. If your website is running on a legacy version of ColdFusion then it is at risk and will continue to be so.
Earlier this year in a previous post we let customers on the legacy servers know that we would be discontinuing support for older versions of ColdFusion, primarily for security reasons, and as we migrate customers off our old HELM systems that we will only be supporting ColdFusion 9/10 onward. We were however finding after 6 months that most customers still had not taken any action to test or update their websites on newer versions of ColdFusion, so we extended the deadline and delayed our migrations.
Why should we upgrade?
One other response we have received from some customers is “we do not want to update our site and incur any costs, so we will just move to another host that still support ColdFusion 5/6/7/8 ”.
While we understand it can be frustrating to have to update a website which for all intents and purposes appears to still be working fine, moving to another host will not solve the security issues, it will simply prolong the inevitable. Please be aware that the vulnerabilities affect any server with any host running legacy versions of ColdFusion, and while there may well be some hosts out there who will continue to offer these legacy versions they are doing so out of complete ignorance or negligence.
We are however taking this pro-active action not only to protect ourselves but also to protect our less tech savvy customers from having their websites hacked and used as phishing/scam websites. Unfortunately these types of hacks can go unnoticed for months by the website owners, by which point your website may have been used to scam or spread malware to thousands of unsuspecting visitors.
Consider this analogy:-
Your house is extremely insecure, it has single glazed windows and doors with no locks, the bricks are so loose they can be removed and there is no alarm system. Your insurance company tells you that they cannot provide you with any contents insurance on this house due to the complete lack of security. The only solution is to get a better more secure house, but moving to a new house that had exactly the same issues would not solve your problems and would put you back in the same situation expect it would have cost you considerably more time and money.
Moving to a host with the exact same CF version = the exact same problem.
What can we do to help ?
We also understand that many customers do not have the technical skills or knowledge to address this issue, but fear not as we do have all the required skills and knowledge and there are several solutions we can offer;
1. Site rebuild
We have found that many customers with legacy (old) websites actually have quite a few other security issues with their site also, such as SQL injection, form spamming, etc. While ColdFusion may have been a great solution at the time the site was originally built, it can be rather overkill now for a simple site when there are many off the shelf open source solutions that will do exactly what you need at no cost. Also many common website hacks have become common place since your website was first built which it is now vulnerable to (the same would also be true of sites built in ASP or PHP or any other languages, not just ColdFusion). In many cases we have found that we can rebuild simple websites using something like WordPress in less time than it would take to test and fix the site in a new version of ColdFusion, often we can do this in 1 way.
This has other added advantages.
- WordPress is FREE and open source
- WordPress has thousands of FREE plugins to add additional functionality to your website.
- WordPress gets updates regularly to address any bugs or security issues, you can easily apply these updates yourself or ask us to do it for you.
- WordPress has thousands of templates to choose from, giving you the chance to refresh your website design as well and make it compatible with mobile devices.
2. Upgrade to new CF version
We can test your site on the latest version of CF and make sure it works correctly, as well as fix any other security issues we may find, and then migrate you to our new servers.
3. Upgrade/Switch to Railo
Railo is a FREE open source alternative to ColdFusion which has various benefits, such as.
- None of the current ColdFusion security issues
- Every customer gets their own Railo admin so can manage their own settings and data sources etc without having to contact us.
- Supports plugins and application extensions
- You could switch to dedicated hosting without the associated license costs of ColdFusion
- Bugs get fixed far more quickly
- All settings can be stored locally within your site and thus transposed between servers and hosts.
We can test your site on Railo and fix any issues and migrate to our new servers. In most cases we have found that old legacy sites will run on Railo with little or no changes, and often with less changes than are required to get it working on a newer version of ColdFusion.
If you would like to speak with us in advance of your migration to discuss your options further or obtain a quote then you can call us on 0845 468 2369 or complete the contact form on our website.