Is there any way to modify adminapi/base.cfc

Hi Pete,

Thanks you very much for your answer and your advice. That's correct, I have some legacy code on a external website with CF 7 that request web services from this server, and failed when using Axis2. I should really rewrite that code (and convince the client to move the web to a hosting provider with an higher version), but meanwhile, I think it will be faster to talk with our server's tech people and try to block all requests except the ones from that external website, I hadn't thought of that..

Best wishes,

And Ernesto, to be clear, you DO NOT need to leave that open for your other web service calls. The AdminAPI is something that really never should have been exposed on the web. As Pete says, you can and should (almost always) block it the way he proposes.

And here’s good news: if you move to CF11 (or if others reading this are running it), you can also prevent access to the AdminAPI by a new security feature in the CF Admin (under Security>Allowed IP Addresses, then the second section on the page, “Allowed IP Addresses for accessing ColdFusion Administrator and ColdFusion Internal Directories”). While that page is in the CF 10 Admin also, it doesn’t indicate “and ColdFusion Internal Directories”.

Hey Pete, can you confirm if it was indeed that CF11 alone now blocks the adminapi with this? Or was it maybe in 10 also, but just not properly indicated on the server? I’ve been meaning to test that, but cannot do that at the moment.

Finally, Ernesto, you end saying you will have your folks “try to block all requests except the ones from that external website”. I would caution you (as Pete surely would, too) that you don’t want to do that only for this site. You want to do it for all sites. If you’re using IIS, you would want to block /CFIDE/adminapi in the request filter feature at the server level, not just at a specific site level. (If somehow you needed the AdminAPI open in a given site, you could remove it there. But really, it is HIGHLY unlikely that one ever needs that open via the web. And to be clear, you do NOT lose access to the AdminAPI via CFML, when invoked as a CFC. It’s JUST web access we’re locking down here.)

Hope that’s helpful.

/charlie

@Charlie - that Allowed IP address feature only applies to AdminAPI in CF11, in CF10 and below it referrs to the ColdFusion services /CFIDE/services/  - Also Ernesto may have been referring to my comment about blocking all .cfc requests on the web server, except the internal CF7 servers which need to hit his web services. Either way good points. @Ernesto - big +1 to Charlie's comments about blocking /CFIDE/adminapi globally, even if you block cfc file extension defense in depth never hurts.

Thanks you very much for your comments. Yes, when talking about "block all request except the ones from that external website” I was referring to adminapi/base.cfc

I'm aware that I must take a deep look at the Lockdown Guide and block as much as possible on the CFIDE directory, The problem is that we make extensive use of cfforms, graphs and ajax, and I'm a bit afraid that I could break something 

Thanks again to both for all your comments and suggestions.

@Ernesto, those things (in your last paragraph) are about the CFIDE/scripts folder, so as long as you don’t block that (or if you setup an alternative scripts virtual directory, also discussed in the lockdown guide), you should be ok there.

@Pete, thanks for confirming my suspicion that the adminapi is not blocked by the “allowed ip addresses” in CF 10, only in 11.

/charlie