I was listening to CFHour just now - another good podcast, fellas - and Scott mentioned that ColdFusion doesn't help its case keeping itself secure/locked down because assets for CFUI tags are homed in
/CFIDE/scripts, and /CFIDE really mustn't be exposed to the outside world.Whilst there are various options to move / rehome these, I've raised a ticket to get
/CFIDE/scripts to somewhere else "Isolate the /CFIDE/scripts directory from the rest of /CFIDE" (3732913), which says this:This has come up repeatedly over a number of years.Thoughts? Please go vote for it if you agree. Or comment here or there (or both) if you have any other things that might need to be considered.
ColdFusion exposes/CFIDEby default, which is bad, and absolutely should not be the case.
However because Adobe have homed the resources for CFUI tags (<cfform>etc) in/CFIDE, a lot of people think they "need" to have that exposed to use these tags. Obviously the - poorly named -<cfajaximport>tag can be used to point these tags at a different location for their resources, but this is a poor approach to dealing with an issue that shouldn't really need to exist.
Just put the stuff for CFUI tags somewhere else! Move them outside/CFIDE. But them in/cfresourcesor something. Basically follow good web practices and only expose things to the outside world that are supposed to be exposed to the outside world.
I think Adobe needs to step up and be a bit more of a facilitator when it comes to streamlining people's efforts to secure their servers.
This should not be too hard to achieve, and not have many knock-on effects? I'm just wondering about any "backwards compat" issues Adobe might claim as grounds to not do this. I think in this case, product stability and reputation, and being seen to be doing something about ColdFusion's security perceptions should quite possibly trump "backwards compat" concerns?
I'm raising this as a bug not an E/R as it's just wrong to have this stuff coupled with the administrator / API / etc
--
Adam
