In the spirit of openness, we've published the final ColdFusion 7.0.2 Product Security Audit Report given to us by the 3rd party security firm, IRM, used to examine ColdFusion 7.0.2 for potential vulnerabilities, here:
We'll try to make a practice of publishing the full final reports from our external product vulnerability audits for future releases from now on as well.
The report is very, very vague.
We gave them complete source code (under iron-clad NDA of course), direct, unlimited access to our engineers, did deep-dives on the features, adapters and gateways and confessed where we were worried about problems. The IRM team made note, and with access to ColdFusion and Flex source code, dug in deep and they found problems we had to address.
They found issues ranging from potential SQL injection issues with the generated CFML code, to mandating that we by default lock-down the RMI CF/FDS listeners to localhost, to mandating we change the way coded some things, to identifying a potential DoS attack scenario (and recommended resolution we implememted), etc.