Skip to main content
A
Anonymous
September 14, 2009
Question

CF Instance Administration - External risks

  • September 14, 2009
  • 1 reply
  • 1374 views

Hi there

we have a CF 8 server and we noticed that we're getting quite a few hits on the following page: www.domainname.com/CFIDE/administrator

What would be our options for trying to secure this page, so that we had more than a password between the hackers and private company/client information? Could switching the port numbers really make that big of a difference?

I guess i'm thinking some type of logic that we could edit to only allow admin access to a list of IPs or maybe block external requests (everything except localhost/127.0.0.1).

Is there any robust way of buttoning this up a bit and make it less prone to hacker attacks?

Thank you much for your input.

    This topic has been closed for replies.

    1 reply

    J
    JR__Bob__Dobbs-qSBHQ2
    Inspiring
    September 14, 2009

    After I've configured the datasources, mappings, and other settings in the CF administrator I generally remove all the files and directories from CFIDE on production servers except CFIDE/scripts which is used by CFFORM and other javascript related tags.  I keep the CFIDE directory backed up and off of the web site.  When I need to make a setting change through the admininstrator site I copy the files to the web site and remove them when I'm done.

    Security Best Practice: Securing the ColdFusion Administrator
    http://go.adobe.com/kb/ts_tn_17254_en-us

    A
    Anonymous
    September 15, 2009

    Hi there

    Thank you for the thoughts offered.

    In as much as i understand and agree with the solution offered, i don't know that we can actually implement that as we have several services that require the CFIDE folders to be in place.

    I think we're looking for some way to implement a logic that will filter access either by IP or any other criteria that's configurable by us.

    I can't imagine the manufacturer not considering this when the software was designed.

    Besides the fact that the link seems to talk about v7, it does not have any specifics on how to implement a good security policy for the administration access. It simply states that "ColdFusion provides both Basic and Advanced Security facilities to secure the ColdFusion Administrator against unauthorized use" without qualifying it more.

    A
    Adam Cameron.
    Inspiring
    September 15, 2009

    What services do you use within CFIDE in your applications (other than the afore-mentioned scripts stuff)?

    I think the suggestion to remove the files is a bit heavy handed.  I'd just make the base /CFIDE dir not web browseable from anything other than administrative IP addresses, but open up /CFIDE/scripts to be browseable if needs must.

    Alternatively, as of CF8 one can relocate the stuff one needs for <cfform>, the various AJAX odds 'n' sods and the like to some other location, using <cfajaximport> (http://livedocs.adobe.com/coldfusion/8/htmldocs/Tags_a-b_2.html#3980738).


    --

    Adam

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices