Saturday 29 March 2014

Encourage Adobe to relocate /CFIDE/scripts

I was listening to CFHour just now - another good podcast, fellas - and Scott mentioned that ColdFusion doesn't help its case keeping itself secure/locked down because assets for CFUI tags are homed in /CFIDE/scripts, and /CFIDE really mustn't be exposed to the outside world.

Whilst there are various options to move / rehome these, I've raised a ticket to get /CFIDE/scripts to somewhere else "Isolate the /CFIDE/scripts directory from the rest of /CFIDE" (3732913), which says this:

This has come up repeatedly over a number of years.

ColdFusion exposes /CFIDE by default, which is bad, and absolutely should not be the case.

However because Adobe have homed the resources for CFUI tags (<cfform> etc) in /CFIDE, a lot of people think they "need" to have that exposed to use these tags. Obviously the - poorly named - <cfajaximport> tag can be used to point these tags at a different location for their resources, but this is a poor approach to dealing with an issue that shouldn't really need to exist.

Just put the stuff for CFUI tags somewhere else! Move them outside /CFIDE. But them in /cfresources or something. Basically follow good web practices and only expose things to the outside world that are supposed to be exposed to the outside world.

I think Adobe needs to step up and be a bit more of a facilitator when it comes to streamlining people's efforts to secure their servers.

This should not be too hard to achieve, and not have many knock-on effects? I'm just wondering about any "backwards compat" issues Adobe might claim as grounds to not do this. I think in this case, product stability and reputation, and being seen to be doing something about ColdFusion's security perceptions should quite possibly trump "backwards compat" concerns?

I'm raising this as a bug not an E/R as it's just wrong to have this stuff coupled with the administrator / API / etc
Thoughts? Please go vote for it if you agree. Or comment here or there (or both) if you have any other things that might need to be considered.