Highlighted

ColdFusion 2016 restrict IP Addresses

New Here ,
May 23, 2018

Copy link to clipboard

Copied

Hi,

I have a Cold Fusion 2016 at update 3 and I am trying to restrict access to the internal components (adminapi) and the administrator to the server itself so that no one can access it without logging onto the server.  I added the IP address of the server and local host.  It seems to have saved it but it still allows outside access.  The administrator is hosted on the local tomcat server at port 8500.

My security team is insisting to lock this down but this feature isn't working.  Do I need to apply an update to fix a bug or do I need to restart cold fusion?

Views

656

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

ColdFusion 2016 restrict IP Addresses

New Here ,
May 23, 2018

Copy link to clipboard

Copied

Hi,

I have a Cold Fusion 2016 at update 3 and I am trying to restrict access to the internal components (adminapi) and the administrator to the server itself so that no one can access it without logging onto the server.  I added the IP address of the server and local host.  It seems to have saved it but it still allows outside access.  The administrator is hosted on the local tomcat server at port 8500.

My security team is insisting to lock this down but this feature isn't working.  Do I need to apply an update to fix a bug or do I need to restart cold fusion?

Views

657

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
May 23, 2018 0
Adobe Community Professional ,
May 23, 2018

Copy link to clipboard

Copied

Mary, there would seem to be some unexpected explanation.

First, on the CF Admin "allowed ip addresses" page, note that there are 2 fields, one at the top and one at the bottom. For what you want, you need to be updating the bottom field.

Second, once you add to that list, if you leave and return to the page, are the changes remaining?

Third, you say you are on update 3. As you may know, there is now an update 6. It may be interesting to see if it still happened after that. But even before doing that, you could see if there was perhaps an error during the application of update 3. I have a blog post on that (including how to find the update log, how to make sense of it, and how to fix problems that may have happened in applying the update, that could leave things not working quite right.)

But before I share that, you may find that your CF already came with update 3 applied (due to being a later installer), in which case you will not have an update folder and log for update 3, so what I write here will not apply (for that update 3):

How to solve common problems with applying ColdFusion updates (in 10 and above)

Let us know if any of the above may help.

/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
May 23, 2018 0
New Here ,
May 23, 2018

Copy link to clipboard

Copied

Hi,

Thanks for the update.  I did apply the IP addresses to the bottom section and I leave the page and go back and they are still there.  If I log out and back in it is still there.  But if I go to the administrator from another server it still brings it up and you can also get to the scripts that are under adminapi.

it looks like the cold fusion update 3 was embedded I followed your link and found that it was embedded.  So it's not a bad update.  I haven't had to update cold fusion, I used to use it a long time ago so I was planning on putting the update on and seeing if that works.

It's not a public facing web site so they are going to try and block it with the firewall for  now.  I'm hoping the updates will work.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
May 23, 2018 0
New Here ,
Jun 02, 2018

Copy link to clipboard

Copied

Hi,

It looks like it prevents login to the Cold Fusion Administrator, the site comes up but any attempt to login to it is denied.  But it still allows me to get to the adminapi.  We only use this as a small web site, how can I determine if I try to actually use adminapi cfc files they will be denied?  I don't know how to invoke them, the ?wsdl works though.

Does anyone know?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jun 02, 2018 0
Adobe Community Professional ,
Jun 02, 2018

Copy link to clipboard

Copied

You can try requesting them through a browser on another machine using ?wsdl, which is fine for your purposes.

Dave Watts, Fig Leaf Software

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jun 02, 2018 0
New Here ,
Jun 04, 2018

Copy link to clipboard

Copied

Ok so the restriction on the cold fusion administrator for these isn't working.  I have read the cold fusion lock down guides but they never mention how to block the internal web server and if they do it's not clear.

how do I prevent the built-in web server from allowing the URLs to be browsed?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jun 04, 2018 0
Adobe Community Professional ,
Jun 04, 2018

Copy link to clipboard

Copied

The internal web server is Apache Tomcat, so you'll have to look at Tomcat documentation to see how this is done. I think this is probably the relevant link:

Apache Tomcat 7 Configuration Reference (7.0.88) - Container Provided Filters

You can also use your web server's built-in firewall functionality to prevent connections from external servers.

Dave Watts, Fig Leaf Software

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jun 04, 2018 0
New Here ,
Jun 04, 2018

Copy link to clipboard

Copied

Hi,

I found out how to block outside IP addresses.  It's in server.xml under the Connector for the port.  I only allow the localhost and now no one can connect to the administrator unless they are on the machine.  Thanks for all your help.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jun 04, 2018 0