Is your ColdFusion Administrator Actually Public?

April 28, 2010
coldfusion

Every so often I get an email back from someone who ran HackMyCF.com saying something like this:

Your scanner says our ColdFusion Administrator is publicly accessible, but I don't think that's true. Am I missing something?

If you visit /CFIDE/administrator/ on their server you will get a 404. BUT if you visit /CFIDE/administrator/index.cfm on their server it resolves to the ColdFusion Administrator. Go ahead and take a minute to try this for yourself on your server, you may be surprised with the results.

This can happen when there is no /CFIDE folder in the given site's web root, and there is no virtual mapping for /CFIDE on the virtual host.

ColdFusion has setup itself with a wildcard mapping that allows it to inspect all requests and see if it want's to handle them, even if the given file does not exist. When you have the /CFIDE directory in the web root it will still serve CFM files under the /CFIDE directory.

So how do you prevent this?

There are a few ways to do this, the first way is to tell IIS to "Verify that file exists" before sending requests to JRun, though this option may interfere with other features in ColdFusion such as cfchart, flash remoting, etc.

Another way to block such requests is to setup an explicit block the /CFIDE/ or /CFIDE/administrator uri's in IIS. There are a few ways to do this, for IIS 7 the Request Filtering Plugin is a good choice, earlier versions might consider using UrlScan, or something like ISAPIRewrite.

You should also consider requiring HTTPS / SSL for ColdFusion Administrator.

There are probably a few more ways you can block this, and a few more reasons that cause this that are not outlined here, but the bottom line is to check it out, and make sure you have blocked it.

I haven't seen this issue on any of my Apache Linux installs but it doesn't mean it's not possible to show up there as well, it could just be a side effect of how I setup those servers.



Related Entries

2 people found this page useful, what do you think?

Comments

Created empty folder /CFIDE/Administrator/ and perma-redirecting to site root via IIS6. Seems to do the trick witout rewriting.
Hi Pete,

First, thank you very much for your work on HackMyCF.com.

Second, I just wanted to also note a couple IIS7 settings that I've used (for the CFIDE/administrator directory of each site):

1) Authentication > Anonymous Authentication > Disabled

2) IPv4 Address and Domain Restrictions > Edit Feature Settings > Access for unspecified clients > Deny

Thanks!,
-Aaron
Thanks for the feedback Aaron!
You're very welcome Pete!
I've seen this issue reported on several CentOS 5, Apache 2.2.x, ColdFusion 9.0.1 systems. Whether or not this is reported is based on how Apache and ColdFusion are hooked with the Apache connector that ships with ColdFusion.

My preferred method of resolving this is to disallow /CFIDE/administrator/ globally or in all Apache virtual hosts. I prefer to go around the Apache Web server and use the built-in Web server when accessing the CF Admin. Doing this means I need to know the IP of the server (usually a 10 dot or 192 dot IP) and the built-in Web server port (typically 8000 range) in order to log-in to the CF Admin.

If I do this I can still access CF resources through the Apache Web server, but not anything in the /CFIDE/administrator/ folder.
If anyone is using Apache and ColdFusion together and you want to disable access to any instance of a ColdFusion Administrator through Apache, you can use the Location directive located at this pastebin URL.

http://pastebin.com/raw.php?i=ZmrQLRH4
A lot of people do not have a CFDE as they do not realise it is required for all the javascript files, such as ajax and CFFORM etc. I have so many times seem people upload sites to a live server and not bother testing only to discover that none of their CFFORM validation works for example. So it is always a good idea to have a CFIDE vdir.

There is no need to point to the original CFIDE though, this is the mistake most people make and why they have an administrator running on every site.

Just make a copy of your CFIDE and remove the administrator and other non required folders, and use this as your vDIR.
@Russ, in addition to your technique, I'd also like to point out that you can have /CFIDE/scripts/ be at any location you want since there is an ColdFusion administrator setting. See: http://www.petefreitag.com/item/774.cfm
For those of you having trouble trying to figure out how to password protect the cfadmin in IIS7 or 7.5, read this. http://www.iis.net/ConfigReference/system.webServer/security/authorization
Took a while to figure it out til I stumbled upon this page.
Just wanted to add some help here for locking down CFIDE in an IIS 5 or 6 environment that may be easier for some than some of the previous suggestions. The information is in this post:
http://www.morgankelsey.com/post/how-to-lock-down-cfide-in-iis

I'll paste in a bit of the detail here as well:
-----------------------------------------------
- Open IIS, expand each site that has a virtual mapping to CFIDE.
- Right click CFIDE and click Properties.
- Go to the Directory Security Tab.
- Click the Edit button inside the "IP Address and domain name restrictions" section.
- Click the radio for "Denied access except for the following"
- Add your machine's internal IP, and add 127.0.0.1
Click OK, etc.

Now you need to allow access to /CFIDE/scripts/, or your cfforms won't work.

Right click /CFIDE/scripts/ and click Properties.
- Go to the Directory Security Tab.
- Click the Edit button inside the "IP Address and domain name restrictions" section.
- Click the radio for "Granted Acess"
Click OK, etc.

Go to the command prompt and issue the iisreset command.

Make sure you can still get to your CFAdmin while logged onto your box directly. Make sure you can't from the outside world.

Post a Comment




  



Spell Checker by Foundeo

Recent Entries



foundeo


did you hack my cf?