I have seen a few older posts that have presented this same issue, but there was no resolution in the thread. I have posted on those threads asking if they found a solution, however thought I would present the issue myself and hopefully someone has a fix/workaround.
CF10, W2008R2, IIS 7.5. Using a group with NTFS permissions and trying to limit the access to the pages. Anyone can view the page if putting in a username and password in the Windows security popup, click ok and immediately prompted again, click cancel and you can see the page contents. Tested with an html page and html page is blocked properly. It is my understanding that IIS passes the control to cf, cf diplays the cfm page.
Since this is IIS 7.5, the checkbox for check if file exists that was working in IIS6 isn't there any longer, it is now items under Handler Mappings. I saw in one thread dscussion about editing a wildcard mapping, but it was vague, and didn't have the settings I need to fix this, or I did not understand based on what I see on our server. I have set the .cfmHandler to "file" , and that did not work. I do not see a wildcard handler in the name column, however there are * in the path column, so it wasn't clear what really is the magic wildcard mapping I am looking for.
I cannot believe this issue has existed since IIS7, and there is no clear guidance on the topic. Someone has to have figured it out... bypassing NTFS permissions and not being able to restrict access to a group is not a small issue, in my opinion anyway. I have searched all over the place, hopefully someone here knows what the magic answer is...
This may not be what you want to hear, but I don't think you can get CF to play by NTFS rules with IIS 7+. Since IIS hands off processing to .cfm/.cfc files to ColdFusion, it can't enforce NTFS permissions. I think CF developers typically rely on a security system within their ColdFusion application to determine who can access which .cfm files or folders. So programatically you check the credentials of the user and determine if they are supposed to be able to access a particular .cfm file, and redirect them if they are not. Some use the <cflogin> features of ColdFusion; others roll their own.
I could be completely off about this, though. Do you use Application.cfc in your apps, or Application.cfm? That may have a bearing as well.
I should be more specific. I know CF has always been this way. In IIS6 you could force IIS to make sure the file exists and then pass control to CF. In IIS7.5, that checkbox is gone. I want IIS to check perms before passing to CF. Has anyone managed to get this to work, and if so, what was the solution? I am an admin, not a developer.
CF10 Update 14 was just released. I tried responding to the support email addresses used earlier this year for this issue, including the one you told me to use then, and all of them bounce back. I was forwarding our conversation history so they can tell me if it will break what we fixed. Please tell me how to forward the conversation/fix history to a good email address with my questions.
Hello?? Anyone there? I have honored Support's request to not discuss the solution in public, so I would appreciate a response from Support so I can ask my questions about CF10 Update14 potentially breaking this again before I install the update. I do NOT see where it is listed in the fix list for this update. Maybe I missed it. If it isn't fixed, I will be extremely disappointed. I tried all of the email addresses used earlier this year to contact Support and all failed.
The email address is still the same cfinstal<AT>adobe<DOT>com. NTFS permission is not fixed in CF10 Update 14. Here is the list of bug fixes in this release Bugs fixed in ColdFusion 10 Update 14.
Tried emailing yet again, we shall see if it bounces back like it did last week.
I am extremely disappointed that this issue was not fixed in this update. It is a HUGE security issue! We can't be the only people who noticed it. It needs to be taken SERIOUSLY!
Has this issue been fixed yet? Are there any work arounds? I am experiencing the same issue on CF 2018. This appears to me to be a huge security issue as the only way to control access to a coldfusion page is thru code not NTFS permissions.
So, this is kind of a weird problem. The problem isn't that ColdFusion can bypass NTFS permissions. It's that URLs are separate from files when you use the new sort of mapping instead of something that explicitly checks for the file's existence before allowing the user to access it. In fact, you can create mappings to URLs that don't even correspond to files! That's how CF's RDS works - the client actually requests the file /CFIDE/Main/ide.cfm, which doesn't actually even exist. This is pretty common on modern application servers, that URLs are no longer directly connected to files, and it doesn't show up much in CF, but does show up a lot more in other application servers, like Tomcat serving Java web apps.
My guess would be that you can defeat this by removing the new sort of mapping and leaving the old one in place. I'd have to futz around with that to see how exactly it would work, and I'm sure you'd lose some features doing that, but if you want the web server to examine files before passing requests to CF that's how you'd have to do it. There are two mapping types handled by the CF connector. They both use the same DLL, but they use it in different ways - one for the "old" style and one for the new style of connection.
I'm sorry this is fairly vague on the details, but I haven't messed with that stuff in a while and would have to spend a couple of hours getting back up to speed.
Dave Watts, Eidolon LLC