Secure CFIDE Directory for ColdFusion

Expand / Collapse
Summary

This article goes over securing CFIDE for ColdFusion against malicious uploads (http://www.adobe.com/support/security/advisories/apsa13-01.html

Update 1/16/2013: Adobe has issued a patch (http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb13-03.html).  DataBank still recommends locking down ColdFusion below in addition to applying the patch.

Update 5/15/2013: Due to recent changes in security on DataBank's network, all CF Admin requests are locked down to internal connections only (i.e. from RDC or through an SSH Tunnel for Linux)

Steps

Note that if you are adding a new site to the server, you will need to follow the steps below for securing the CFIDE directory. 

For IIS7, please follow the steps below.

  1. Log into the server via Remote Desktop.  
  2. Run the following via command line for IIS 7.x: %windir%\system32\inetsrv\appcmd.exe unlock config -section:system.webServer/security/ipSecurity
  3. Open Internet Information Services (IIS) and expand the websites.  Find the CFIDE virtual directory for each website and select it.  Expand the CFIDE virtual directory and lock down the following directories: AIR, appdeployment, debug, images, orm ,portlets, scheduler, ServerManager, Services, Websocket, wizards, and main.  Under the CFIDE folder administrator, adminapi, componentutils, probe.cfm, and multiservermonitor-access-policy.xml.
  4. Click the button for IP Address and Domain Restrictions and choose Add Allow Entry... from the sidebar. 
  5. Enter in 127.0.0.1 for all three directories and 69.63.128.150 for the administrator directory only (EWH IP address) as the allow entries.  Do this for all of the folders/files listed in Step 3.  This will allow only localhost to view those directories thereby preventing malicious uploads to the directories.  You must do this for each CFIDE directory on the server/for each website in IIS with the directory.  Note that if your server is behind a firewall, you may need to add your internal IP address range of the server to the list.

For IIS6, please follow the steps below.
  1. Log into the server via Remote Desktop.  
  2. Open Internet Information Services (IIS) and expand the websites.  Find the CFIDE virtual directory for each of the websites on the server.  Expand the CFIDE virtual directory and lock down the following directories: AIR, appdeployment, debug, images, orm ,portlets, scheduler, ServerManager, Services, Websocket, wizards, and main.  Under the CFIDE folder administrator, adminapi, componentutils, probe.cfm, and multiservermonitor-access-policy.xml.
  3. Choose the Directory Security tab and click Edit next to IP address and domain name restrictions.
  4. Select Denied Access and click the Add button.  Enter in 127.0.0.1 for both directories and 69.63.128.150 for the administrator directory only (EWH IP address).  Click OK to get out of the popup windows.  
  5. Do this for all of the folders/files under Step 2.  This will allow only localhost to view those directories thereby preventing malicious uploads to the directories.  You must do this for each CFIDE directory on the server/for each website in IIS with the directory. Note that if your server is behind a firewall, you may need to add your internal IP address range of the server to the list.

For Apache, please follow the steps below.

  1. SSH into the server and become root.  Open the Apache configuration file for all sites (http.conf) and add the following to the file.  
  2. <LocationMatch "/CFIDE/administrator/"> 
    order deny,allow 
    deny from all 
    #allow from local and EWH 
    allow from 127.0.0.1 
    allow from 69.63.128.150 
    </LocationMatch>

    <LocationMatch "/CFIDE/adminapi">
    order deny,allow
    deny from all
    #allow from local and EWH
    allow from 127.0.0.1
    allow from 69.63.128.150
    </LocationMatch>

    <LocationMatch "/CFIDE/componentutils">
    order deny,allow
    deny from all
    #allow from local and EWH
    allow from 127.0.0.1
    allow from 69.63.128.150
    </LocationMatch>

  3. Save the file and restart Apache.



Rate this Article:


Details

Last Modified:Thursday, September 20, 2018 2:18 PM

Type: HOWTO

Level: Novice

Rated 2 stars based on 2 votes.

Article has been viewed 19,342 times.

Options
Email Article Email Article


Social Bookmarks Social Bookmarks