I am a ColdFusion user since version 3 (building web site with cfml).
I do not know anything about the ColdFusion product itself.
I am now wondering why new tags needs to access CFIDE directory
which is the CF administrator directory ?
I feel that engine and administration have been mixed up in same directory.
Is there a reason ?
I think about last CF vulnerability and hacking, afraid this mixup grows the vulnerability ?
My question may be totally out, as I do not know about CF product architecture.
Thanks for any clarification.
You should not have a publiclly accessible CFIDE directory. It is highly recommended to not only add request filtering to prevent people from getting to these restricted areas, but to add IP address restrictions as well.
All ColdFusion needs to operate is the jakarta virtual directory, since it provides access to the needed isapi_rewrite.dll file.
If you are using tags which need to access CF's scripts directory, it is highly recommended that you utilize a virtual directory like 'cf-scripts' and then setup in the CF Admin the use of that virtual directory rather than /CFIDE/scripts.
If you get a moment, I'd look over the principles put forth in the ColdFusion 10 Server Lockdown Guide and make sure your application adheres to those best practices.
I am not enough knowledgeable with these practices,
I do not understand how to do that things.
Then, I just put a "cfabort" in the application.cfm of the CFIDE. (keeping original one).
and I do not use the tags needing the CFIDE.
A shame, but I cannot do else. (a degrade ColdFusion).
I am just a CFML writer.
Thanks for your answer anyway, but I did not have answer to my question,
mix engine-admin in CFIDE, why ?
the best suggestion is to not use any of the built in ui tags which require cfide, if you have been devleoping since cf3 then you should be well beyond this anyway and using JQuery et al.
as suggested read the lock down guide if you host your own server. If you are using shared hosting then your host should take care of the security.
Here is a simpler lock down guide: http://www.michaels.me.uk/post.cfm/securing-your-coldfusionmx-installa tion-on-windows
I use my own server. So I can do there what I want.
I did the following : see answer in the previous thread :