Every so often I get an email back from someone who ran HackMyCF.com saying something like this:

Your scanner says our ColdFusion Administrator is publicly accessible, but I don't think that's true. Am I missing something?

If you visit /CFIDE/administrator/ on their server you will get a 404. BUT if you visit /CFIDE/administrator/index.cfm on their server it resolves to the ColdFusion Administrator. Go ahead and take a minute to try this for yourself on your server, you may be surprised with the results.

This can happen when there is no /CFIDE folder in the given site's web root, and there is no virtual mapping for /CFIDE on the virtual host.

ColdFusion has setup itself with a wildcard mapping that allows it to inspect all requests and see if it want's to handle them, even if the given file does not exist. When you have the /CFIDE directory in the web root it will still serve CFM files under the /CFIDE directory.

So how do you prevent this?

There are a few ways to do this, the first way is to tell IIS to "Verify that file exists" before sending requests to JRun, though this option may interfere with other features in ColdFusion such as cfchart, flash remoting, etc.

Another way to block such requests is to setup an explicit block the /CFIDE/ or /CFIDE/administrator uri's in IIS. There are a few ways to do this, for IIS 7 the Request Filtering Plugin is a good choice, earlier versions might consider using UrlScan, or something like ISAPIRewrite.

There are probably a few more ways you can block this, and a few more reasons that cause this that are not outlined here, but the bottom line is to check it out, and make sure you have blocked it.

I haven't seen this issue on any of my Apache Linux installs but it doesn't mean it's not possible to show up there as well, it could just be a side effect of how I setup those servers.