Thanks Al, Really appreciate the input and have now made the necessary changes to all production, dev and uat servers.
Kind Regards, Lee On Saturday, November 12, 2016 at 3:54:22 AM UTC, Al Holden wrote: > > Hi Lee, > > As I recall, the OpenBD Admin project was a separate labor of love headed > up by Matt Woodward, who I met at a CFOPEN conference in Texas many years > ago. > > Much like the ACF Admin tools, the project's purpose was simply to help > craft the /WEB-INF/bluedragon/bluedragon.xml file and some of the JDBC > connection strings by way of a GUI. But once that work has been done, the > folders /adminapi and /administrator could probably be entirely removed > from the project in production without consequence. > > The one security issue I'm aware of is that the /adminapi folder could be > *browsed* or *accessed* from the public *without* being logged in ( > foundeo.com/hack-my-cf/). While I have been able to reproduce the former > in a test environment, I haven't been able to do either on our production > system. I get 403 Forbidden, although I'm not a professional hack. > > Al Holden > > > On 11/11/2016 12:15 PM, Lee Fortnam wrote: > > Hi All, > > Just wondering if anyone has any pearls of wisdom to secure OpenBD 3.1 in > a production environment? > > Apparently there is a well known CFM Admin hack that is a vulnerability > and I am keen to lock it down as much as possible. > > If anyone has a standard setup that could be shared that would be amazing. > > Kind Regards, > > Lee > -- > -- > online documentation: http://openbd.org/manual/ > http://groups.google.com/group/openbd?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "Open BlueDragon" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > For more options, visit https://groups.google.com/d/optout. > > > -- -- online documentation: http://openbd.org/manual/ http://groups.google.com/group/openbd?hl=en --- You received this message because you are subscribed to the Google Groups "Open BlueDragon" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
