Perhaps I'm a bit paranoic, but, is possible to modify adminapi/base.cfc in order to not show the version information?
When you call http://[server]/CFIDE/adminapi/base.cfc?wsdl it displays a template with a comment like <!--WSDL created by ColdFusion version 10,0,14,291717-->, and I would prefer to not disclose that information.
Thanks in advance,
Hi Ernesto, You will not be able to remove that by editing the file, that is done by the CF server. Another approach would be to use your Web Server to block such requests. For example you can configure IIS 7+ using Request Filtering to block all .cfc requests (if you do not use web services, or the AJAX CFC proxy, or other technologies that might require access to the CFC remotely), or you can and should also block the adminapi folder using a Deny URI Sequence /CFIDE/adminapi/ If you are on apache the same can be done using RedirectMatch or several other ways. Checkout the ColdFusion 10 Lockdown Guide for more info: http://bit.ly/cf10lockdown
Thanks you very much for your answer and your advice. That's correct, I have some legacy code on a external website with CF 7 that request web services from this server, and failed when using Axis2. I should really rewrite that code (and convince the client to move the web to a hosting provider with an higher version), but meanwhile, I think it will be faster to talk with our server's tech people and try to block all requests except the ones from that external website, I hadn't thought of that..
And Ernesto, to be clear, you DO NOT need to leave that open for your other web service calls. The AdminAPI is something that really never should have been exposed on the web. As Pete says, you can and should (almost always) block it the way he proposes.
And here’s good news: if you move to CF11 (or if others reading this are running it), you can also prevent access to the AdminAPI by a new security feature in the CF Admin (under Security>Allowed IP Addresses, then the second section on the page, “Allowed IP Addresses for accessing ColdFusion Administrator and ColdFusion Internal Directories”). While that page is in the CF 10 Admin also, it doesn’t indicate “and ColdFusion Internal Directories”.
Hey Pete, can you confirm if it was indeed that CF11 alone now blocks the adminapi with this? Or was it maybe in 10 also, but just not properly indicated on the server? I’ve been meaning to test that, but cannot do that at the moment.
Finally, Ernesto, you end saying you will have your folks “try to block all requests except the ones from that external website”. I would caution you (as Pete surely would, too) that you don’t want to do that only for this site. You want to do it for all sites. If you’re using IIS, you would want to block /CFIDE/adminapi in the request filter feature at the server level, not just at a specific site level. (If somehow you needed the AdminAPI open in a given site, you could remove it there. But really, it is HIGHLY unlikely that one ever needs that open via the web. And to be clear, you do NOT lose access to the AdminAPI via CFML, when invoked as a CFC. It’s JUST web access we’re locking down here.)
Hope that’s helpful.
@Charlie - that Allowed IP address feature only applies to AdminAPI in CF11, in CF10 and below it referrs to the ColdFusion services /CFIDE/services/ - Also Ernesto may have been referring to my comment about blocking all .cfc requests on the web server, except the internal CF7 servers which need to hit his web services. Either way good points. @Ernesto - big +1 to Charlie's comments about blocking /CFIDE/adminapi globally, even if you block cfc file extension defense in depth never hurts.
Thanks you very much for your comments. Yes, when talking about "block all request except the ones from that external website” I was referring to adminapi/base.cfc
I'm aware that I must take a deep look at the Lockdown Guide and block as much as possible on the CFIDE directory, The problem is that we make extensive use of cfforms, graphs and ajax, and I'm a bit afraid that I could break something
Thanks again to both for all your comments and suggestions.
@Ernesto, those things (in your last paragraph) are about the CFIDE/scripts folder, so as long as you don’t block that (or if you setup an alternative scripts virtual directory, also discussed in the lockdown guide), you should be ok there.
@Pete, thanks for confirming my suspicion that the adminapi is not blocked by the “allowed ip addresses” in CF 10, only in 11.
Also -- I had thought that they removed that comment in CF10, but I wonder if you are using the Axis1 instead of Axis2 (default) -- I think if you set the Web Services version to 2, in ColdFusion Administrator under Data & Services > Web Services that version number will go away. But there is probably a reason why you have set it to 1 (if my assumption is correct), since 2 is the default.