Hi Paul, That approach may work in some cases, but there are cases where /CFIDE/administrator/index.cfm may still resolve even if there is no folder there (or no virtual directory). We often receive reports saying that hackmycf.com is incorrectly reporting CF administrator open because /CFIDE/administrator/ returns a 404, but if you add index.cfm to the end it will infact resolve CF administrator. That's why it is so important to put explicit blocks to /CFIDE uri's in place on your web server.
In addition, the administrator is not the only folder to be worried about under /CFIDE several other folders have had exploits including adminapi, componentutils, wizards, scripts, and perhaps others. In short, you should block as much of the /CFIDE is you possibly can. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting & Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Mon, Feb 4, 2013 at 4:29 PM, Paul Vernon <[email protected] > wrote: > > > What should we do to allow CFChart to function without opening a > > security hole? > > What we do is this. > > 1. Duplicate the CFIDE directory in full. > 2. In the duplicate, remove the administration folders altogether. > 3. In all but the CFAdmin site itself on the server (which should really > not > be accessible over the web), map the CFIDE to the version that no longer > contains the admin folder. > > This stops no end of possible security threats before they can start and if > this had been implemented on your server would probably have stopped the > hack from being successful. > > Paul > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354289 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
