Re: CFC Security Flaw
This is the expected behavior as calling a CFC from an url without passing it anything 'tells' CF to try and show it in the CFC documentation tool that comes with CF. At the moment, there's nothing that can be done but someone may start looking through the .xml files that come with CF and see where the mapping to the cfexplorer exists and rewrite it. I'll log this as a minor annoyance (rather than a bug) for Adobe. I'm having a problem right now... I've setup a subdomain for an API for functions of my site. api.domain.com. The web service url is something like api.domain.com\folder\functions.cfc?wsdl It works great. But if I remove ?wsdl from the url I'm directed to cfadmin on the server. Granted, its passworded, but that's trivial, customers shouldn't even have access to this. Yet without the virtual directories, I get an error that it can't find cfcexplorer.cfc. What am I supposed to do? ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:232219 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: CFC Security Flaw
Thanks Michael Though its a bit more than a minor annoyance. I mean sure the cf admin is pretty solidly secure. But the first line of security with it is the inability for the public to access it, or at least access it easily. The current customer this api is being written for is pretty stand-up, I don't expect any havoc from them, but plans to open this up to other customers have to be delayed. I'm sure its not a bug, but I think it wasn't very well planned. On 2/14/06, Michael Dinowitz [EMAIL PROTECTED] wrote: This is the expected behavior as calling a CFC from an url without passing it anything 'tells' CF to try and show it in the CFC documentation tool that comes with CF. At the moment, there's nothing that can be done but someone may start looking through the .xml files that come with CF and see where the mapping to the cfexplorer exists and rewrite it. I'll log this as a minor annoyance (rather than a bug) for Adobe. I'm having a problem right now... I've setup a subdomain for an API for functions of my site. api.domain.com. The web service url is something like api.domain.com\folder\functions.cfc?wsdl It works great. But if I remove ?wsdl from the url I'm directed to cfadmin on the server. Granted, its passworded, but that's trivial, customers shouldn't even have access to this. Yet without the virtual directories, I get an error that it can't find cfcexplorer.cfc. What am I supposed to do? ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:232221 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: CFC Security Flaw
You're not actually going to the CF admin, just the CF admin login page. Once you log in, you'll be taken to the CFC explorer, not the admin. The solution is to not put the CFIDE directory on your domain. Set up another private domain (ideally only accessible from within your server infrastructure) that hosts the admin area. You will have to put part of the contents on your real domain if you use CFWDDX with JS and/or CFFORM, but there are no security implications to that, as they're designed to be public facing. Once you remove the directory, then you'll get 404 errors when you try and browse to a CFC without ?wsdl or ?method. If you want to deal with that, just use a standard 404 template as you would for any other missing page. cheers, barneyb On 2/14/06, Tony Hicks [EMAIL PROTECTED] wrote: I'm having a problem right now... I've setup a subdomain for an API for functions of my site. api.domain.com. The web service url is something like api.domain.com\folder\functions.cfc?wsdl It works great. But if I remove ?wsdl from the url I'm directed to cfadmin on the server. Granted, its passworded, but that's trivial, customers shouldn't even have access to this. Yet without the virtual directories, I get an error that it can't find cfcexplorer.cfc. What am I supposed to do? -- Barney Boisvert [EMAIL PROTECTED] 360.319.6145 http://www.barneyb.com/ Got Gmail? I have 100 invites. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:23 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: CFC Security Flaw
-Original Message- From: Tony Hicks [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 14, 2006 1:10 PM To: CF-Talk Subject: CFC Security Flaw I'm having a problem right now... I've setup a subdomain for an API for functions of my site. api.domain.com. The web service url is something like api.domain.com\folder\functions.cfc?wsdl Since you appear to have control over the server I highly recommend that you protect the CFAdmin folder using operating-system-level protection as well. That way you'll still get errors in this case (it's okay to give errors when somebody does something they're not supposed to) but you'll get a stronger OS-level security on the folder. You should also be able to mask the folder to specific IP addresses only (many people restrict it to local console access only) and so forth. Remember: the CF Admin is just a web application - you should protect it like you would any other one with those kinds of capabilities. Jim Davis ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:232224 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: CFC Security Flaw
Good points. Thanks for the tips. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:232240 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54