Pete Freitag Pete Freitag

Is your ColdFusion Administrator Actually Public?

Published on April 28, 2010
By Pete Freitag
coldfusion

Every so often I get an email back from someone who ran HackMyCF.com saying something like this:

Your scanner says our ColdFusion Administrator is publicly accessible, but I don't think that's true. Am I missing something?

If you visit /CFIDE/administrator/ on their server you will get a 404. BUT if you visit /CFIDE/administrator/index.cfm on their server it resolves to the ColdFusion Administrator. Go ahead and take a minute to try this for yourself on your server, you may be surprised with the results.

This can happen when there is no /CFIDE folder in the given site's web root, and there is no virtual mapping for /CFIDE on the virtual host.

ColdFusion has setup itself with a wildcard mapping that allows it to inspect all requests and see if it want's to handle them, even if the given file does not exist. When you have the /CFIDE directory in the web root it will still serve CFM files under the /CFIDE directory.

So how do you prevent this?

There are a few ways to do this, the first way is to tell IIS to "Verify that file exists" before sending requests to JRun, though this option may interfere with other features in ColdFusion such as cfchart, flash remoting, etc.

Another way to block such requests is to setup an explicit block the /CFIDE/ or /CFIDE/administrator uri's in IIS. There are a few ways to do this, for IIS 7 the Request Filtering Plugin is a good choice, earlier versions might consider using UrlScan, or something like ISAPIRewrite.

You should also consider requiring HTTPS / SSL for ColdFusion Administrator.

There are probably a few more ways you can block this, and a few more reasons that cause this that are not outlined here, but the bottom line is to check it out, and make sure you have blocked it.

I haven't seen this issue on any of my Apache Linux installs but it doesn't mean it's not possible to show up there as well, it could just be a side effect of how I setup those servers.



coldfusion administrator cfide security iis

Is your ColdFusion Administrator Actually Public? was first published on April 28, 2010.

If you like reading about coldfusion, administrator, cfide, security, or iis then you might also like:

FuseGuard Web App Firewall for ColdFusion

The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.

CFBreak
The weekly newsletter for the CFML Community


Comments

Created empty folder /CFIDE/Administrator/ and perma-redirecting to site root via IIS6. Seems to do the trick witout rewriting.
by Bradley Moore on 05/11/2010 at 3:49:27 PM UTC
Hi Pete,

First, thank you very much for your work on HackMyCF.com.

Second, I just wanted to also note a couple IIS7 settings that I've used (for the CFIDE/administrator directory of each site):

1) Authentication > Anonymous Authentication > Disabled

2) IPv4 Address and Domain Restrictions > Edit Feature Settings > Access for unspecified clients > Deny

Thanks!,
-Aaron
by Aaron Neff on 08/04/2010 at 12:25:03 AM UTC
Thanks for the feedback Aaron!
by Pete Freitag on 08/04/2010 at 10:52:34 AM UTC
You're very welcome Pete!
by Aaron Neff on 08/05/2010 at 11:24:51 PM UTC
I've seen this issue reported on several CentOS 5, Apache 2.2.x, ColdFusion 9.0.1 systems. Whether or not this is reported is based on how Apache and ColdFusion are hooked with the Apache connector that ships with ColdFusion.

My preferred method of resolving this is to disallow /CFIDE/administrator/ globally or in all Apache virtual hosts. I prefer to go around the Apache Web server and use the built-in Web server when accessing the CF Admin. Doing this means I need to know the IP of the server (usually a 10 dot or 192 dot IP) and the built-in Web server port (typically 8000 range) in order to log-in to the CF Admin.

If I do this I can still access CF resources through the Apache Web server, but not anything in the /CFIDE/administrator/ folder.
by Aaron West on 09/30/2010 at 12:27:04 PM UTC
If anyone is using Apache and ColdFusion together and you want to disable access to any instance of a ColdFusion Administrator through Apache, you can use the Location directive located at this pastebin URL.

http://pastebin.com/raw.php?i=ZmrQLRH4
by Aaron West on 09/30/2010 at 1:28:06 PM UTC
@Russ, in addition to your technique, I'd also like to point out that you can have /CFIDE/scripts/ be at any location you want since there is an ColdFusion administrator setting. See: http://www.petefreitag.com/item/774.cfm
by Pete Freitag on 01/21/2011 at 3:53:24 PM UTC
Just wanted to add some help here for locking down CFIDE in an IIS 5 or 6 environment that may be easier for some than some of the previous suggestions. The information is in this post:
http://www.morgankelsey.com/post/how-to-lock-down-cfide-in-iis

I'll paste in a bit of the detail here as well:
-----------------------------------------------
- Open IIS, expand each site that has a virtual mapping to CFIDE.
- Right click CFIDE and click Properties.
- Go to the Directory Security Tab.
- Click the Edit button inside the "IP Address and domain name restrictions" section.
- Click the radio for "Denied access except for the following"
- Add your machine's internal IP, and add 127.0.0.1
Click OK, etc.

Now you need to allow access to /CFIDE/scripts/, or your cfforms won't work.

Right click /CFIDE/scripts/ and click Properties.
- Go to the Directory Security Tab.
- Click the Edit button inside the "IP Address and domain name restrictions" section.
- Click the radio for "Granted Acess"
Click OK, etc.

Go to the command prompt and issue the iisreset command.

Make sure you can still get to your CFAdmin while logged onto your box directly. Make sure you can't from the outside world.
by Nick Gleason on 04/14/2012 at 5:56:53 PM UTC
Hellow, If anyone is using Apache and ColdFusion together and you want to disable access to any instance of a ColdFusion Administrator through Apache, you can use the Location directive located at this URL. http://imp.mn/CYsfK
by Mike Roch on 03/24/2018 at 12:51:34 PM UTC