I was listening to CFHour just now - another good podcast, fellas - and Scott mentioned that ColdFusion doesn't help its case keeping itself secure/locked down because assets for CFUI tags are homed in
/CFIDEreally mustn't be exposed to the outside world.
Whilst there are various options to move / rehome these, I've raised a ticket to get
/CFIDE/scriptsto somewhere else "Isolate the
/CFIDE/scriptsdirectory from the rest of
/CFIDE" (3732913), which says this:
This has come up repeatedly over a number of years.Thoughts? Please go vote for it if you agree. Or comment here or there (or both) if you have any other things that might need to be considered.
/CFIDEby default, which is bad, and absolutely should not be the case.
However because Adobe have homed the resources for CFUI tags (
/CFIDE, a lot of people think they "need" to have that exposed to use these tags. Obviously the - poorly named -
<cfajaximport>tag can be used to point these tags at a different location for their resources, but this is a poor approach to dealing with an issue that shouldn't really need to exist.
Just put the stuff for CFUI tags somewhere else! Move them outside
/CFIDE. But them in
/cfresourcesor something. Basically follow good web practices and only expose things to the outside world that are supposed to be exposed to the outside world.
I think Adobe needs to step up and be a bit more of a facilitator when it comes to streamlining people's efforts to secure their servers.
This should not be too hard to achieve, and not have many knock-on effects? I'm just wondering about any "backwards compat" issues Adobe might claim as grounds to not do this. I think in this case, product stability and reputation, and being seen to be doing something about ColdFusion's security perceptions should quite possibly trump "backwards compat" concerns?
I'm raising this as a bug not an E/R as it's just wrong to have this stuff coupled with the administrator / API / etc