Railo

Railo is an open source alternative to ColdFusion and is an unrecoverable mess from a security perspective, although not much research has been published on it.

Administrative Interfaces

The administrative interface may be found at:

http://<host>:<port>/railo-context/admin/server.cfm
http://<host>:<port>/railo-context/admin/web.cfm

Password guessing attacks against Railo are possible, however must be throttled. Initial research shows that attempting more than 1 password per second will result in valid credentials returning a login failure.

Clusterd Usage

Currently clusterd supports a similar attack to ColdFusion on the railo task scheduler, but it requires administrative credentials. Like ColdFusion, railo simply requires a password, no username, but there is no "default" on install.

0-day

Unauthenticated RCE exploits have not yet been released publicly. A number of vulnerabilities have been discovered and are pending release.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Railo

Administrative Interfaces

Clusterd Usage

0-day

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally