ColdFusion web.xml exposed
Copy link to clipboard
Copied
How can I prevent someone from downloading the web.xml file using a Nessus exploit. I do have access to the ColdFusion administrator and enabled several security settings but WEB-INF/web.xml can still be accessed.I have spent the last 2 hours trying to find the solution online.
Sorry if that is an obvious setting but I don't know much about ColdFusion as I am a IBM Notes administrator...
Copy link to clipboard
Copied
Don't use the default CF installation settings for hosting. It will default to {drive}/ColdfusionX/cfusion/wwwroot, and place the CFIDE folder and WEB-INF folder, there. Whatever webserver you're using (Apache, IIS), set it (and CF server) to a different location, and map the CFIDE and WEB-INF directories in CFAdmin.
A good idea would be to follow a Lockdown Guide, when setting up your CF server. Charlie Arehart has a list of preferred guides.
HTH,
^_^

