I am new to cold fusion and i am facing a problem which has been pointed out by our security team on an application wirtten in cold fusion:
We have an application written in cold fusion, for which the login page is lets say the below -
Now the vendor is the root directory and it has subdirectories containing the cfm files. So if i do https://xxx.com/vendor/common/abc.cfm , i am able to access the abc.cfm which is in the common folder inside the vendor directory. Now the problem is that if i do https://xxx.com/vendor/common/ , it shows meon browser the list of files present in the common directory, which is not acceptable.. I can see that putting index.cfm in the common folder resolves the problem by redirecting me to the index page. But since there are approximately 120 subdirectories , is there a way to do this in a better way other than putting an index.cfm in every folder ? I tried the missing page handler on the server colsole but no luck.
Any assistance will be greatly appreciated.
If I understood the problem correctly then you have directory browsing enable at webserver. First please disable it and then check it.
thanks for the reply.
I tried the following -
going to C:\ColdFusion10\cfusion\runtime\conf web.xml and changing the value of listings parameter -
<!-- secure profile disable start -->
<!-- secure profile disable end -->
<!-- secure profile enable start
secure profile enable end -->
I changed the listing from true to false, but no luck so far.
i disabled directory browsing on iis , that did the trick . Thanks a lot for your help !!!! If i see any issue , i will post again.
Glad that did the trick, could you please mark the answer correct.
did it, thanks again!
Your security team must not know an arse from an elbow if they did not know how to turn off directory browsing.
I'd seriously consider a full security audit of your OS, web server, CF server and code.
Also has been "ColdFusion" - one word - for close to two decades now...