Changing the ColdFusion CFIDE Scripts Location
By Pete Freitag
One of the things that the HackMyCF ColdFusion server security scanner looks for, is if the
/CFIDE/scripts/ (for CF11 and below) or
/cf_scripts/scripts/ (for CF2016+) folders is in it's default location. There have been security vulnerabilities located in this folder in the past, most notably was the FCKEditor Vulnerability in ColdFusion 8.
Because it's really easy to change the default location of
/cf_scripts/scripts/, why not make a hackers life that much more difficult?
Do I even need
You may not! In that case you can just block it on your web server. This provides the best security because you have just reduced your attack surface.
How do I move it to a non-default location?
It's pretty easy to move it to a non-default location, because ColdFusion administrator has a setting called Default ScriptSrc Directory (located on the Settings page), by default it is set to
/CFIDE/scripts/ on CF11 and below or
/cf_scripts/scripts on CF2016 and up:
We can come up with a totally new URI, and be creative, in this blog entry we'll use: /cfjs/ (be sure to pick something unique, and not already in use).
Setup a the virtual directory for your new URI
Your next step is to setup a virtual directory for your new ColdFusion Scripts directory /cfjs/. You also want to block access to
/CFIDE/scripts/. I prefer not to actually move or rename the
/CFIDE/scripts/ directory (I block it on the web server instead), this way we can ensure that any ColdFusion installer updates can still do their thing.
Using Apache with mod_alias
Most Apache web servers will have the mod_alias module enabled, so we can use that to setup the virtual directory for all websites, and also block requests to
/CFIDE/scripts/. To do this add the following to the end of your
# Create a new Virtual Directory Alias /cfjs /var/www/path/to/CFIDE/scripts # Return 404 for all requests to /CFIDE/scripts RedirectMatch 404 (?i)/CFIDE/scripts.*
Using IISIf you are using IIS 7 or greater you can use the IIS Request Filtering to block access to
/CFIDE/scripts/after creating the necessary virtual directory by adding a sequence under the
<denyUrlSequences>node (under the
<requestFiltering>node) in the
<denyUrlSequences> <add sequence="/CFIDE/scripts"/> </denyUrlSequences>
For CF10+ you will also need to create a virtual directory on the Tomcat built-in web server if you use it to access the ColdFusion Administrator. If you don't certain parts of the CF admin might not work (typically the server update feature
If you want an even more secure approach (block more of the /CFIDE structure) then take a look at the ColdFusion 9 Lockdown Guide that I wrote for Adobe, it has more in depth examples for Apache and IIS 7.
Changing the ColdFusion CFIDE Scripts Location was first published on January 10, 2011.
If you like reading about coldfusion, security, cfide, iis, or apache then you might also like:
- Is your ColdFusion Administrator Actually Public?
- ColdFusion wsconfig Hotfix CVE-2009-1876 is for Apache Only
- New HackMyCF Features
- Blocking .svn and .git Directories on Apache or IIS
The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.