Skip to main content
A
Area srl
Participant
March 22, 2013
Question

C:\ColdFusion9\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp\

  • March 22, 2013
  • 1 reply
  • 4185 views

In theese days i receive a intrusion trought this directory. my antivirus says the a virus is present in this dir and remove it.

i try to lock and disable CFIDE from external ip and domain.

how i can lock this type of attack ?

all patch are inserted until 8/03 on CF 9.0.1

thanks a lot

This topic has been closed for replies.

1 reply

Anit_Kumar
Community Manager
Anit_KumarCommunity Manager
Community Manager
March 25, 2013

Hi,

The file residing at C:\ColdFusion9\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp \ is not a virus. The name is alphanumeric and is a temp file.

To Block /CFIDE requests

Even if you do not have a virtual directory specified for /CFIDE on your IIS sites, the ColdFusion IIS connector will still pass through requests for /CFIDE/administrator/index.cfm. Therefore, you must explicitly block /CFIDE requests.

IIS 7 has powerful request filtering capabilities that can enhance the security of your web server. Make sure that the Request Filtering feature is installed. Create a global Request Filtering rule for all sites on the server by editing the applicationHost.config file, which is located in the c:\windows\system32\inetsrv\config directory by default. Before editing the file, make a backup of this file.Adobe ColdFusion 9 Server Lockdown Guide 10

This file is an XML configuration file, so all changes must result in a valid XML document. Locate the <requestFiltering> tag, which is located in the <configuration> <system.webServer> <security> <requestFiltering> hierarchy.

Add a child tag to <requestFiltering> named <denyUrlSequences> with the following information:

<denyUrlSequences>

<add sequence=”/CFIDE/administrator” />

<add sequence=”/CFIDE/adminapi”/>

<add sequence=”/CFIDE/AIR”/>

<add sequence=”/CFIDE/appdeployment”/>

<add sequence=”/CFIDE/componentutils”/>

<add sequence=”/CFIDE/debug”/>

<add sequence=”/CFIDE/orm”/>

<add sequence=”/CFIDE/portlets”/>

<add sequence=”/CFIDE/probe.cfm”/>

<add sequence=”/CFIDE/scripts”/>

<add sequence=”/CFIDE/services”/>

<add sequence=”/CFIDE/wizards”/>

</denyUrlSequences>

If there is already a <denyUrlSequences> tag, append the <add sequence> tags to the existing tag.

Next , you must allow access to the /CFIDE/administrator URI in the cfadmin website. Create a file called web.config in the web root with the following content:

<configuration>

<system.webServer>

<security>

<requestFiltering>

<denyUrlSequences>

<remove sequence=”/CFIDE/administrator”/>

</denyUrlSequences>

</requestFiltering>

</security>

</system.webServer>

</configuration>

The above configuration overrides the global request filtering and removes the deny rule for the URI /CFIDE/administrator.

 

Regards,

Anit Kumar

P
plarts
Inspiring
May 8, 2013

Thanks for this discussion,
I have worked for 3 weeks on this question.
Every 2 or 3 days I have 2 TMP files found as VIRUS in that directory.

This make me very afraid.

I thought it came from an unsecure UPLOAD ?
Can you confirm these files are not VIRUS ?

I do not understand your recommandations above with requestfiltering , CFIDE etc...
I am not enough knowledgeable to understand this.

If I leave the configuration as it is, with these files files coming regularly,
IS THIS SAFE ???

A big thanks for your answer or recommandation.
Pierre.

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices