Changing the ColdFusion CFIDE Scripts Location
One of the things that the HackMyCF ColdFusion server security scanner looks for, is if the /CFIDE/scripts/ folder is in it's default location. There have been security vulnerabilities located in this folder in the past, most notably was the FCKEditor Vulnerability in ColdFusion 8.
Because it's really easy to change the default location of /CFIDE/scripts/, why not make a hackers life that much more difficult.
It's pretty easy to move it to a non-default location, because ColdFusion administrator has a setting called Default ScriptSrc Directory (located on the Settings page), by default it is set to /CFIDE/scripts/:
We can come up with a totally new URI, and be creative, in this blog entry we'll use: /cfjs/ (be sure to pick something unique, and not already in use).
Setup a the virtual directory for your new URI
Your next step is to setup a virtual directory for your new ColdFusion Scripts directory /cfjs/. You also want to block access to /CFIDE/scripts/. I prefer not to actually move or rename the /CFIDE/scripts/ directory (I block it on the web server instead), this way we can ensure that any ColdFusion installer updates can still do their thing.
Using Apache with mod_alias
Most Apache web servers will have the mod_alias module enabled, so we can use that to setup the virtual directory for all websites, and also block requests to /CFIDE/scripts/. To do this add the following to the end of your httpd.conf file:
# Create a new Virtual Directory Alias /cfjs /var/www/path/to/CFIDE/scripts # Return 404 for all requests to /CFIDE/scripts RedirectMatch 404 (?i)/CFIDE/scripts.*
Using IIS
If you are using IIS 7 or greater you can use the IIS Request Filtering to block access to/CFIDE/scripts/ after creating the necessary virtual directory by adding a sequence under the <denyUrlSequences> node (under the <requestFiltering> node) in the applicationHost.config file:
<denyUrlSequences> <add sequence="/CFIDE/scripts"/> </denyUrlSequences>
If you want an even more secure approach (block more of the /CFIDE structure) then take a look at the ColdFusion 9 Lockdown Guide that I wrote for Adobe, it has more in depth examples for Apache and IIS 7.
Also consider that if you don't use any of the CFForm or ajax controls then you can simply block the entire /CFIDE/scripts/ directory all together, you don't need the virtual directory.
Tweet
add to del.icio.usRelated Entries
- Is your ColdFusion Administrator Actually Public? - April 28, 2010
- ColdFusion wsconfig Hotfix CVE-2009-1876 is for Apache Only - August 20, 2009
- Howto Require SSL for ColdFusion Administrator - October 23, 2009
- J2EE Sessions in CF10 Uses Secure Cookies - April 5, 2013
- Learn about ColdFusion Security at cfObjective 2013 - March 6, 2013
Trackbacks
Comments
Aw man, that one burned me a while back when I upgraded to 9.0.1. I totally forgot to copy over the cfjs directory after the update and I was so confused as to why I kept getting some really bizarre error messages.
Silly me.
Or is it better to point the VDIR to the \CFIDE\scripts folder? (In conjunction with the other steps in the CF9 hardening document.)
Thanks...
When you start copying CFIDE folders around it's easy to forget about them when it comes time for updates / patches.
There are some CFM files in /CFIDE/scripts if you want to allow their execution you can add the read permission for the CF user account for those files as well.
We also have paid plans that let you schedule scans on a daily, weekly, monthly, quarterly basis starting at $10/month. That way you can get notified if you do something on your server that opens it back up again.
Post a Comment
Recent Entries
- Writing Secure CFML cfObjective 2013 Slides
- Upgrading to Java 7 on Linux
- J2EE Sessions in CF10 Uses Secure Cookies
- Learn about ColdFusion Security at cfObjective 2013
- Session Loss and Session Fixation in ColdFusion
- FuseGuard 2.3 Released
- CKEditor Spell Checker Plugin
- Adobe Says Go Ahead and Upgrade your ColdFusion JVM
