ColdFusion 2021 Update 11 New Connector Required

Report · Oct 12, 2023

Requesting some help with this one.

I know the basic steps for creating the new connector. I am able to do that successfully, but upon using the new isapi_redirect.dll the isapi_redirect.log is being written with this error upon trying to access the ColdFusion Administrator: [warn] jk_check_path::jk_util.c (2476): Blocking this uri: [/CFIDE/Administrator/index.cfm] since its starting with cfide

I know I've seen numerous posts about not accessing the CFIDE and that Adobe is helping us by blocking it, but this is my only way to administer this in my environment.

If I go back to using the previous isapi_redirect.dll there is no issue and I am able to access the ColdFusion Administrator console without any issues.

Is there a new exclusion that we need to include somewhere to allow access to CFIDE/Administrator with this new update?

Report · Jul 03, 2024

Thanks for all that. To clarify a point, I'd assert that the reason they didn't "document" or "announce" this change in behavior (for the connector, blocking CFIDE urls) is because again the original change in behavior was started in cf2016 (7 years ago) to BLOCK such urls by default.

As noted previously, they did it then by a) adding the block in the uriworkermap.properties and then by b) NO LONGER creating the CFIDE virtual directory when using the wsconfig tool to connect a site to cf. They also c) changed the cf installer to ALWAYS enable the built-in web server (no longer offering it as an "option").

So anyone who was "manually working around those" (to access the cf admin via iis or apache) was already operating out of bounds...not per the stig, or course, which again was never updated to reflect these changes since it was written for cf11 in 2014. But out of bounds per this change that started with CF2016.

It's reasonable to assert it "should have been better documented" (and made configurable) when it was changed. I'm just offering a possible reason why it was not. That's where the tracker ticket makes sense. I'm sure many here will look forward to adding a vote!

And those who have pull (I really do not) can lobby Adobe more directly, by raising the issue with their account rep or other contacts they may have. Adobe often responds to enterprises in a way they do not for individuals--even an angry mob of them. 🙂

/Charlie (troubleshooter, carehart.org)

Report · Jul 03, 2024

Per your recommendation, I filed a bug ticket.

The URL for the ticket is: https://tracker.adobe.com/#/view/CF-4222672

I will also follow-up with an email to the licensed reseller from whom we purchased our license to see if they have any additional insight and/or let them know we are not thrilled with this issue.

Thanks again for your insights and recommendations.