Mapping CFIDE is a security risk

I’ve been playing a little with the <cfcalendar> tag in an app I’m working on. It seems that for the Flash to be usable, you need a /CFIDE mapping on your server. Which is all well and good, except that on a production-level server, you’re a certifiable nutjob if you have a live /CFIDE, as it opens up access to the CF Administrator. If you need access to the CF Administrator, and therefore to /CFIDE, it should be on a separate virtual server which:

  • responds on a different, preferably non-routable, IP address
  • is mapped on a non-standard TCP port
  • is turned off unless you are actually changing the CF server settings right now

Now, unless there’s a way to shut off CF Administrator access (short of deleting the administrator directory or IP-limiting it) that I don’t know about (and I’m happy to be proved wrong), having to map /CFIDE on your servers is a significant security risk. It’s certainly not one I’d be prepared to take.

This issue has been mentioned in a number of TechNotes (1, 2) and articles (1, 2 – the second is particularly good and very thorough) at Macromedia, but I’m not reassured that most people setting up ColdFusion servers will read these and take the right action. To my mind, it would be better to have another external directory containing all these assets (Flash tools, Java applets, etc.) which a developer might drop into their app. Keep that directory well away from the /CFIDE.

3 Replies to “Mapping CFIDE is a security risk”

  1. Hey Steve,

    I know this is an old blog but I thought I’d chip in.

    I’d recently run into the same problem that you have explained above, and I agree, this is a hude security problem.

    Here is how I worked around it:
    I created a new folder in my webroot called CFIDE and copied the scripts folder from the legit cfide folder under my own “custom” one. I found that this is all cfform required for flash forms in CF7.

    Hope it helps someone.

    Ben

  2. How do you create a virtual directory mapping in IIS to the CFIDE directory? I need this to get the cfform required to work. This is for my local machine.

  3. Don’t now if this is still a problem with the current version (I think it is). But is it safe to map the CFIDE as virtual and disable anonymous access (ms iis) for the adminapi and administrator folder?

Leave a Reply