A user, worried about the recent attacks on ColdFusion servers, asked if he could safely block all public access to /cfide. My response to him was the following:
The short answer is “yes, if …”
There are quite a few ColdFusion features that use files and URLs within /cfide, these include:
- <cfform> and supporting tags and features
- Charting
- Java applets (which you should not be using anyway)
- AIR synchronization
- Admin API
- And more
Oh, and then there is the biggie, ColdFusion Administrator itself.
So, can you block /cfide? If you are not using any of these features, then you can indeed create a separate locked down web site just for ColdFusion Administrator and then block all public access to /cfide. If you are using these features, then you will need to block with greater granularity and specificity so as to not break your sites and apps.
(In my opinion, this is yet another reason to use 3rd party UI and form and charting options, but that’s a separate discussion).
Check out Pete Freitag’s critically important Adobe ColdFusion 10 Server Lockdown Guide for all the detail and step-by-step instructions you’ll need to secure your ColdFusion server. Pay special attention to the technique used to move ColdFusion Administrator to an isolated locked down non-public web site.
Leave a Reply