> well I guess I never saw it because I always keep the cfadmin in the > default website and lock it down, and always create a copy of the CFIDE > without the admin or adminapi for all other sites. So there is always a > REAL CFIDE.
That, by itself, is not sufficient. You can have a "real CFIDE" without the CF Administrator and CF will still run scripts that aren't in it. Again, this boils down to a few simple things: if CF receives the request, and has a corresponding servlet mapping, CF can in many cases run the request whether or not the file actually exists where the web server thinks it should exist. > I have just gone and checked some cf sites on several servers for sanity, > and could not access /cfide/administrator/index.cfm on any of them. That is good! But perhaps you are doing other things as a matter of course that are preventing this behavior. And I wouldn't be surprised if you are doing these other things, because they're commonly done by people who are concerned about security. Again, though, the "out-of-the-box" behavior does not guarantee that these scripts can't be executed. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354479 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
