System information
Adobe documentation - Confidential
All JEE web applications have a file in the WEB-INF directory called web.xml this file defines the
servlets and servlet mappings for the JEE web application. A servlet mapping defines a URI pattern that a
particular servlet responds to. For example the servlet that handles requests for .cfm files is called the
CfmServlet the servlet mapping for that looks like this:
<servlet-mapping id="coldfusion_mapping_3">
<servlet-name>CfmServlet</servlet-name>
<url-pattern>*.cfm</url-pattern>
</servlet-mapping>
The servlets are also defined in the web.xml file. The CfmServlet is also defined in web.xml as follows:
<servlet id="coldfusion_servlet_3">
<servlet-name>CfmServlet</servlet-name>
<display-name>CFML Template Processor</display-name>
<description>Compiles and executes CFML pages and tags</description>
<servlet-class>coldfusion.bootstrap.BootstrapServlet</servlet-class>
<init-param id="InitParam_1034013110656ert">
<param-name>servlet.class</param-name>
<param-value>coldfusion.CfmServlet</param-value>
</init-param>
<load-on-startup>4</load-on-startup>
</servlet>
We can remove servlet mappings in the web.xml to reduce the surface of attack. You don’t typically
want to remove the CfmServlet or the *.cfm servlet mapping, but there are other servlets and mappings
that may be removed.
In addition some servlets may depend on each other, so it may be better to just remove the servlet-
mapping instead.
Be sure to backup web.xml before making changes, as incorrect changes may prevent the server from
starting.
Servlet Mapping
Servlet
Purpose
*.cfm
*.CFM
*.Cfm
CfmServlet
Handles execution of CFML in cfm files.
Required
Adobe documentation - Confidential