Hi Robert, CFChart relies on the URI /CFIDE/GraphData.cfm so if you block /CFIDE then cfchart also stops working, there is no way I'm aware of to tell CFChart to use a different URI (I wish there was!). This also adds confusing for some because the file /CFIDE/GraphData.cfm does not exist in your /CFIDE folder, but there is a servlet mapping in ColdFusion's web.xml file that allows it to handle this request.
So you have to keep that URI open if you want to use cfchart, but you will still want to block the rest of /CFIDE. If you are on IIS7 one way to do this is using Request filtering, you will want to add a Deny URI Sequence for every folder in /CFIDE -- do this at the IIS level applicable to all sites. Unfortunately you can't say Deny /CFIDE and Allow /CFIDE/GraphData it will still block it. This is all covered in the CF9/10 lockdown guides. Another possible solution might be to rewrite the HTML generated by CFChart to use a different URI and then setup a virtual directory mapping on the web server (or alter the servlet mapping in web.xml). -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting & Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Mon, Feb 4, 2013 at 4:03 PM, Robert Harrison <rob...@austin-williams.com>wrote: > > Thanks everyone for the help. Many had some very useful advice and were > dead on about the files and issues with mapping and /CFIDE. > > Yes, the culprit files were in CFIDE/adminapi/customtags, but we found a > curious commonality in all the sites that were affected. Every site > affected used CFChart. I remember our server guy had to set-up some special > mapping to CFIDE and allow files to be written there because of some sort > of temp file CFChart uses when creating a .jpg. Now that it's been locked > down again, CFCHART no longer displays the image. > > What should we do to allow CFChart to function without opening a security > hole? > > Thanks, > Robert > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354286 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
