Skip to main content
E
Ernesto RA
Inspiring
August 4, 2015
Answered

Is there any way to modify adminapi/base.cfc

  • August 4, 2015
  • 2 replies
  • 1325 views

Hello,

Perhaps I'm a bit paranoic, but, is possible to modify adminapi/base.cfc in order to not show the version information?

When you call http://[server]/CFIDE/adminapi/base.cfc?wsdl it displays a template with a comment like <!--WSDL created by ColdFusion version 10,0,14,291717-->, and I would prefer to not disclose that information.


Thanks in advance,

    This topic has been closed for replies.
    Correct answer pete_freitag

    Hi Ernesto, You will not be able to remove that by editing the file, that is done by the CF server. Another approach would be to use your Web Server to block such requests. For example you can configure IIS 7+ using Request Filtering to block all .cfc requests (if you do not use web services, or the AJAX CFC proxy, or other technologies that might require access to the CFC remotely), or you can and should also block the adminapi folder using a Deny URI Sequence /CFIDE/adminapi/ If you are on apache the same can be done using RedirectMatch or several other ways. Checkout the ColdFusion 10 Lockdown Guide for more info: http://bit.ly/cf10lockdown

    2 replies

    pete_freitag
    pete_freitag
    Participating Frequently
    August 4, 2015

    Also -- I had thought that they removed that comment in CF10, but I wonder if you are using the Axis1 instead of Axis2 (default) -- I think if you set the Web Services version to 2, in ColdFusion Administrator under Data & Services > Web Services that version number will go away. But there is probably a reason why you have set it to 1 (if my assumption is correct), since 2 is the default.

      pete_freitag
      pete_freitagCorrect answer
      Participating Frequently
      August 4, 2015

      Hi Ernesto, You will not be able to remove that by editing the file, that is done by the CF server. Another approach would be to use your Web Server to block such requests. For example you can configure IIS 7+ using Request Filtering to block all .cfc requests (if you do not use web services, or the AJAX CFC proxy, or other technologies that might require access to the CFC remotely), or you can and should also block the adminapi folder using a Deny URI Sequence /CFIDE/adminapi/ If you are on apache the same can be done using RedirectMatch or several other ways. Checkout the ColdFusion 10 Lockdown Guide for more info: http://bit.ly/cf10lockdown

        E
        Ernesto RAAuthor
        Inspiring
        August 4, 2015

        Hi Pete,

        Thanks you very much for your answer and your advice. That's correct, I have some legacy code on a external website with CF 7 that request web services from this server, and failed when using Axis2. I should really rewrite that code (and convince the client to move the web to a hosting provider with an higher version), but meanwhile, I think it will be faster to talk with our server's tech people and try to block all requests except the ones from that external website, I hadn't thought of that..

        Best wishes,

        Charlie Arehart
        Community Expert
        Charlie ArehartCommunity Expert
        Community Expert
        August 4, 2015

        And Ernesto, to be clear, you DO NOT need to leave that open for your other web service calls. The AdminAPI is something that really never should have been exposed on the web. As Pete says, you can and should (almost always) block it the way he proposes.

        And here’s good news: if you move to CF11 (or if others reading this are running it), you can also prevent access to the AdminAPI by a new security feature in the CF Admin (under Security>Allowed IP Addresses, then the second section on the page, “Allowed IP Addresses for accessing ColdFusion Administrator and ColdFusion Internal Directories”). While that page is in the CF 10 Admin also, it doesn’t indicate “and ColdFusion Internal Directories”.

        Hey Pete, can you confirm if it was indeed that CF11 alone now blocks the adminapi with this? Or was it maybe in 10 also, but just not properly indicated on the server? I’ve been meaning to test that, but cannot do that at the moment.

        Finally, Ernesto, you end saying you will have your folks “try to block all requests except the ones from that external website”. I would caution you (as Pete surely would, too) that you don’t want to do that only for this site. You want to do it for all sites. If you’re using IIS, you would want to block /CFIDE/adminapi in the request filter feature at the server level, not just at a specific site level. (If somehow you needed the AdminAPI open in a given site, you could remove it there. But really, it is HIGHLY unlikely that one ever needs that open via the web. And to be clear, you do NOT lose access to the AdminAPI via CFML, when invoked as a CFC. It’s JUST web access we’re locking down here.)

        Hope that’s helpful.

        /charlie

        /Charlie (troubleshooter, carehart. org)
          Terms & ConditionsAccessibility statement
          Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices