ColdFusion Lockdown Series - Multiple Partitions
One of the most frequent questions I get about the Adobe ColdFusion 9 Lockdown Whitepaper is:
Why do you suggest using 3 partitions when installing ColdFusion?
First lets get out of the way what the partitions are for:
- Operating System (typically the C:\ drive or partition)
- ColdFusion Installation
- Your Web Root (eg your CFM files)
How does this make my ColdFusion server more secure?
Consider a directory traversal vulnerability, here's what one looks like in CFML:
Now I can make a request like this:
exploit.cfm?file=../../config.xml the contents of that file will be output as long as ColdFusion has permission to read it.
If I installed everything on the same drive (eg c:\) this exploit is a whole lot more dangerous because the hacker can read any file on the server that ColdFusion has access to. With separate partitions you are limited to reading files on the same drive letter.
A few things to note:
- A directory traversal exploit could and has existed in web servers and within ColdFusion administrator (make sure you are all patched up, and give HackMyCF a try). So your code is not the only place such an exploit could take place.
- The more drives the better, 3 is a minimum, you can also create additional partitions for logs, or other apps.
- This advantage is fairly specific to Windows servers (since everything falls under
/on UNIX), but there may be other advantages to having multiple partitions as well.
Like this? Follow me ↯Tweet Follow @pfreitag
ColdFusion Lockdown Series - Multiple Partitions was first published on April 21, 2011.
If you like reading about coldfusion, lockdown, security, windows, or os then you might also like:
- CFSummit 2016 Slides
- Speaking at ColdFusion Summit Online Next Week
- OpenSSL and ColdFusion / Lucee / Tomcat
- ColdFusion Security Training Class December 2022
- ColdFusion Summit 2022 Slides
- Ways to suppress a finding in Fixinator
- Spring4Shell and ColdFusion
- Log4j CVE-2021-44228 Log4Shell Vulnerability on ColdFusion / Lucee
The Fixinator Code Security Scanner for ColdFusion & CFML is an easy to use security tool that every CF developer can use. It can also easily integrate into CI for automatic scanning on every commit.