STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Adobe ColdFusion Security Technical Implementation Guide

V-279083

CAT II (Medium)

ColdFusion must configure Data Sources to limit SQL command and configure timeout.

Rule ID

SV-279083r1171449_rule

STIG

Adobe ColdFusion Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-002385, CCI-000197

Discussion

Data sources configured within ColdFusion can be exploited if not properly restricted. Allowing unrestricted SQL commands increases the risk of unauthorized data manipulation, privilege escalation, or destructive operations. If a data source permits these types of commands without explicit need, an attacker who compromises the application could use it to alter the database schema, escalate access, or destroy critical data. Failing to enforce query timeout values allows poorly constructed or maliciously crafted SQL statements to consume excessive resources. Long-running queries can degrade database performance or cause denial-of-service (DoS) conditions, impacting application availability for legitimate users. Limiting SQL commands to only those required for application functionality, and enforcing strict query timeouts, ensures that ColdFusion applications operate within expected bounds, maintain system stability, and protect backend data resources. These controls help reduce the attack surface and enforce the principle of least privilege across the application's database interactions. Satisfies: SRG-APP-000435-AS-000163, SRG-APP-000172-AS-000120

Check Content

Verify that all defined data sources are configured.

1. From the Admin Console Landing Screen, navigate to Data & Services >> Data Sources.

2. Determine if any data sources are defined. 

If no data sources are defined, this is not a finding.

3. For each Connected Data Source, edit the data source by clicking "Show Advanced Settings" to display all configuration options.

4. Check whether the data source provides an option to specify a query timeout. 

If the query timeout setting is not available, this is not a finding.

5. If the query timeout setting is available, verify that the value is not set to "0", which indicates no timeout.

If any data source has a query timeout configured with a value of "0", this is a finding.

6. Review "Login Timeout (sec)". 

If there are any data sources with a "Login Timeout (sec)" set higher than 5, this is a finding.

If any of the data sources have CREATE, GRANT, DROP, REVOKE or ALTER checked, this is a finding.

Fix Text

Configure data sources.

1. From the Admin Console Landing Screen, navigate to Data & Services >> Data Sources.

2. For each data source, edit the data source configuration:

a. Click "Show Advanced Settings" to display all options.

b. If the query timeout parameter is available, set the timeout value to a number greater than 0 to ensure queries do not run indefinitely.

c. Set "Login Timeout (sec)" to less than 5.

d. Uncheck the options allowing SQL commands:
CREATE
GRANT
DROP
REVOKE
ALTER

d. Click "Submit" to save changes.