Manualshelf

System information

ManualsBrandsMACROMEDIA ManualsComputer equipmentCOLDFUSION 5 - INSTALING AND CONFIGURING SERVER
61626364656667686970
Adobe documentation - Confidential
Consider adding additional URIs to this file (see table 2.10.1 and 2.10.2), also consider restricting all of
/CFIDE to a set of IP addresses:
*/CFIDE/*=127.0.0.1,::1
Repeat this section for each connector.
Lockdown File Extensions
ColdFusion provides a number of capabilities that are not used commonly which can be blocked. A good
example of this is JSP file execution. Here is a list of file extensions that usually can be blocked (check
with developers first):
File Extension
Purpose
Safe to Block
.cfml
Executes CFML templates (same
as .cfm files)
The .cfml file is not typically used by
developers, if you don’t use .cfml block this
file extension.
.jsp
JavaServer Pages
Yes, if your applications do not require JSP.
.jws
Java Web Services - allows you
to easily write and deploy SOAP
web services in Java similar to a
CFC.
Yes if not used.
.cfr
CFReport Files
Yes if cfreport is not used.
.cfswf
Dynamically generated swf files
from flash forms.
Yes if flash forms are not used.
.hbmxml
Hybernate XML mappings
Yes this should always be blocked.
Blocking by File Extension with Apache
To block .cfml, .jsp, .jws and .hbmxml files add the following to your Apache httpd.conf file:
<FilesMatch "\.(cfml|jsp|jws|hbmxml)$">
Order Deny,Allow
Deny from all
</FilesMatch>
Restart apache and create a test.cfml file to confirm that the rule is working.
Adobe documentation - Confidential