Copy link to clipboard
Copied
Coldfusion 2023, latest updates.
We are getting vulnerability hits from our internal scanning tools because Directory Listing is possible on our servers installed with the Development Profile. Turning off directory browsing in IIS does not work.
The Production Profile servers do not have this issue. Which makes sense according to these docs: https://helpx.adobe.com/coldfusion/installing/understanding-coldfusion-server-profiles.html
We don't need directory listing. But I cannot find a way to disable it. The link above says you cannot change the profile, but you can change the settings. Is there a way to do this in CFAdmin? Or in a settings file somewhere?
Joey, I have good news/bad news for you. First, you CAN change that behavior, but no, there is no way (I know of) to change that via the CF Admin.
Second, this has nothing to do with IIS (as you have found, since disabling that made no change). Instead, this is about what's called the "built-in web server" in CF, which is technically the Tomcat web server. (For most folks, that's used only for the cf admin, and via the default port of 8500.) And THAT web server offers configurability, via xml
...Copy link to clipboard
Copied
Joey, I have good news/bad news for you. First, you CAN change that behavior, but no, there is no way (I know of) to change that via the CF Admin.
Second, this has nothing to do with IIS (as you have found, since disabling that made no change). Instead, this is about what's called the "built-in web server" in CF, which is technically the Tomcat web server. (For most folks, that's used only for the cf admin, and via the default port of 8500.) And THAT web server offers configurability, via xml files (rather than the CF Admin).
And the feature in that web server that allows "directory browsing" is called the "listings" feature, as controlled by the Tomcat web.xml file. More on this in the Tomcat docs on this feature.
So in cf, that web.xml file can be found in the cfusion/runtime/conf folder. Make a copy/backup of that file there, then edit it, finding the block of code related to this "listings" feature:
<init-param>
<!-- secure profile disable start -->
<param-name>listings</param-name>
<param-value>true</param-value>
<!-- secure profile disable end -->
<!-- secure profile enable start
<param-name>listings</param-name>
<param-value>false</param-value>
secure profile enable end -->
</init-param>
Note that as offered in this version of the file created by Adobe, there are two sets of similar args related to "listings", one of which is surrounded by comments and the other is commented out (important difference), which may not be obvious if you open this file with a simple editor like Notepad.
You have two choices: if yours looks like that above (which I suspect it will, given what you said), you could just change that first true to false. Or you could try to change the comments sonas to comment-out the first set and uncomment the second. Either way, then save the file, restart CF, and test for your display of directory browsing. (If cf doesn't start or your app fails to run, revert to that backup of the file and restart cf.)
As for the fact that the CF Admin doesn't control this, we could argue that it's one of many things about this CF built-in web server that are not controled via the CF Admin. I'd recommend you open a feature request at the CF bug tracking system, tracker.adobe.com.
As for the relationship of all this to the production profile vs developer profile, that's a choice asked only at install. Once it's taken, there's no way to change from "the production profile" to the "development profile", or vice-versa. Someone may argue it's about the checkbox for "developer profile" page (on the CF Admin "debugging & logging" section).
But I'll note that while I had indeed installed the Developer profile at install (as was reflected in my CF install log in the CF root directory), I did NOT see that checkbox checked....and yet like you I could see directory browsing work, when using the built-in web server (which I did expect and appreciate).
To be clear, once I changed that xml file and restarted CF, the directory listings were disabled (again with no impact on or reflection of that "developer profile" page checkbox).
Hope that helps.
I'm sure some will feel this was "a lot more than was needed to be said", but so often with "simple answers" is that they leave more questions that inevitably are asked. I'm just rying to head those off. 🙂 And even if not from you, from folks finding this thread in the future, since indeed there's relatively little on changing this behavior with respect to CF.
Let us know if this does the trick for you.
Copy link to clipboard
Copied
Just changed that value to false and all is good! Checked all the CF xml files and didn't find anything. Then scanned the whole directory for anything with 'directorylisting'. Turns out it's just called 'listings'.
Thank you!
Copy link to clipboard
Copied
Yep, as I'd said. (I think you're acknowledging that.) And nope, not obvious, which is too bad.
But like I said, we shouldn't have to have this esoteric knowledge. It SHOULD be a setting in the CF Admin. And a feature request would be given more credibility coming from a customer like you, but since you don't indicate doing it, I just did. The URL is here, and you or others reading this can add votes if you're interested (which helps bring it to Adobe's attention):
https://tracker.adobe.com/#/view/CF-4220648