Is your ColdFusion Administrator Actually Public?
Every so often I get an email back from someone who ran HackMyCF.com saying something like this:
Your scanner says our ColdFusion Administrator is publicly accessible, but I don't think that's true. Am I missing something?
If you visit
/CFIDE/administrator/ on their server you will get a 404. BUT if you visit
/CFIDE/administrator/index.cfm on their server it resolves to the ColdFusion Administrator. Go ahead and take a minute to try this for yourself on your server, you may be surprised with the results.
This can happen when there is no /CFIDE folder in the given site's web root, and there is no virtual mapping for /CFIDE on the virtual host.
ColdFusion has setup itself with a wildcard mapping that allows it to inspect all requests and see if it want's to handle them, even if the given file does not exist. When you have the /CFIDE directory in the web root it will still serve CFM files under the /CFIDE directory.
So how do you prevent this?
There are a few ways to do this, the first way is to tell IIS to "Verify that file exists" before sending requests to JRun, though this option may interfere with other features in ColdFusion such as cfchart, flash remoting, etc.
Another way to block such requests is to setup an explicit block the /CFIDE/ or /CFIDE/administrator uri's in IIS. There are a few ways to do this, for IIS 7 the Request Filtering Plugin is a good choice, earlier versions might consider using UrlScan, or something like ISAPIRewrite.
You should also consider requiring HTTPS / SSL for ColdFusion Administrator.
There are probably a few more ways you can block this, and a few more reasons that cause this that are not outlined here, but the bottom line is to check it out, and make sure you have blocked it.
I haven't seen this issue on any of my Apache Linux installs but it doesn't mean it's not possible to show up there as well, it could just be a side effect of how I setup those servers.
Like this? Follow me ↯Tweet Follow @pfreitag
Is your ColdFusion Administrator Actually Public? was first published on April 28, 2010.
If you like reading about coldfusion, administrator, cfide, security, or iis then you might also like:
- Changing the ColdFusion CFIDE Scripts Location
- Howto Require SSL for ColdFusion Administrator
- New HackMyCF Features
- Locking Down ColdFusion Presentation Slides
- ColdFusion wsconfig Hotfix CVE-2009-1876 is for Apache Only
- Speaking at ColdFusion Summit Online Next Week
- OpenSSL and ColdFusion / Lucee / Tomcat
- ColdFusion Security Training Class December 2022
The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.