> > > That approach may work in some cases, but there are cases where > > > /CFIDE/administrator/index.cfm may still resolve even if there is > no > > > folder there (or no virtual directory). > > > > You're going to have to explain how /CFIDE/administrator/index.cfm > > could resolve when the CFIDE mapping is pointing to a directory that > > is a duplicate CFIDE with *all* the administrator folders removed. > > > > I must be missing something here but how can it resolve when there is > > definitely no file or folder and the mappings in CF and the web > server > > all point at the duplicate? Has CF got some special code that I > should > > know about that breaks the rules as to how web servers work? I've > been > > working with CF since 4.0 and never seen it serve a page that does > not exist... > > First, I strongly recommend you actually try to get the URL and see > what happens.
I did before I posted asking for clarification. I got a 404. > OK, now that you've done that: CF serves all sorts of pages that don't > exist. You may read up in this very thread about CFCHART, which relies > on a URL pattern that doesn't exist. CF relies on servlet mappings, > which may or may not correspond with actual URLs. Typically, they do, > but there are some specific URL mappings that are created by default > when you install CF, and one of them is /CFIDE/Administrator/index.cfm. > Another is /CFIDE/Main/ide.cfm - this is another file that doesn't even > exist by default. I understand that under special circumstances like CFChart it serves pages that don't exist. But in the scenario I outlined where CFIDE mappings have been re-pointed to a folder that does not carry the administrator folders and the web server provides a Virtual directory to the very same duplicated CFIDE folder, I fail to see how it would ever serve the content from the administrator and adminapi folders... > So, you need to specifically configure your web server to reject these patterns. > The CF 9 Lockdown Guide (which I believe Pete wrote in part, if not in > full) describes how to do this for IIS and Apache. That's fair enough and I do lock down our servers extensively. Hopefully following what is best practice along the way and the lockdown guides for different versions of CF are part of that process for me. Paul ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354293 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
