Access to Other Servers is Risky

ColdFusion lets developers access files and directories using tags like and and functions like FileExists(). These tags and functions have access to local drives only. ColdFusion (on Windows) runs as a service, and Windows services by default cannot access other servers. Is there a workaround? Yes, there is, but using it introduces a real security risk.
First the workaround. Windows allows services to run under user accounts. This is configured in the Services control panel (select the properties for the service, and use the “log on as” option). This way the Windows service (ColdFusion) will have access to whatever servers and resources the user account has access to.
But this can be dangerous. As a general rule it is good to assume that anything on your public facing ColdFusion box can be accessed against your will. Some paranoia, especially pertaining to public face web sites, is a good thing. And if your server is ever compromised, then any resources that it has access to will be compromised too. If ColdFusion has access to other servers, then any code given to ColdFusion to execute does too. That’s a significant risk, so significant that you are almost always better off accessing other servers via FTP or HTTP or SOAP or anything but actual file system access.

Leave a Reply