Request Filtering

Report · Jun 18, 2014

I installed CF 11 on a Windows 2008 R2 server as a fresh install on IIS7.

I used the "The Coldfusion 11 Lockdown Guide" which specifies to use 'Request Filtering' on page 17. It also states:

IMPORTANT: As of 4/10/14 in the latest CF11 build request filtering is not working or urls handled by Coldfusion. This needs to be fixed.

The the IIS portion of the guide is dependent upon the 'Request Filtering' working. Mine did not work either.

So, if you follow the steps your CF sites will not work, (neither will the administrator).

When can we expect this to be fixed?

Shouldn't the statement above be put on page 1 of the guide! A lot of work to get to the page only to find out it will fail.

Has anyone come up with a fix or workaround for this?

Report · Jun 25, 2014

Request Filtering should be working in the final CF11 build, that note you are seeing was pertaining to a Beta build of CF11.

Report · Jun 25, 2014

Report · Jun 25, 2014

On page 17 of the Lockdown Guide it shows locking down from the root of the

server. I tried that, then on page 24 where it shows to remove the blocks

for individual site, that did not work. CF ignored them. I tried recycling

the services on CF and on the web server, even rebooting. I could not get

it to work. If the root said to deny, it was ignored at the site,

regardless if I removed it from the site itself.

I was able to go to the website itself, and add filtering, that worked. In

fact, you can cut and paste from the web.confiig file found on the

individual websites and copy the text to a new site.

It works for a single website but according to the documentation you apply

the filtering to the web server, then give remove the filtering as needed

per website. I was not able to get this to work. I was, though, able to

give it to an individual site.

On Wed, Jun 25, 2014 at 12:15 PM, Peter Freitag <forums_noreply@adobe.com>

Report · Jun 25, 2014

If you block /CFIDE globally (server wide) you cannot then allow the URI /CFIDE/administrator/ for the admin site - is that what you were trying to do? If you block /CFIDE globally, you have to remove allow /CFIDE and then add blocks for each sub folder in /CFIDE besides administrator to setup the admin site. If you globally block each sub folder (eg /CFIDE/administrator, /CFIDE/adminapi, etc on the root node) then you should be able to just remove /CFIDE/administrator for the admin site.

Report · Jun 25, 2014

I totally understand the blocking globally, which is what I wanted. I was going to create a local site for the administrator. The 'unblocking' is the part I was not able to get to work.

Sample: Create a new site in IIS7 (testsite). Add a virtual directory to /CFIDE

1. Navigate to testsite/CFIDE/administrator/ = works as expected.

2. GLOBALLY BLOCK /CFIDE/administrator, navigate to testsite/CFIDE/administrator/ = fails as expected.

3. UNBLOCK testsite/CFIDE/administrator, navigate to testsite/CFIDE/administrator/ = fails??? Should this not work?

4. DELETE GLOBAL BLOCKl /CFIDE, BLOCK testsite/CFIDE/administrator, navigate to testsite/CFIDE/administrator/ = fails as expected.

If I block /CFIDE/administrator at the global level, there is nothing i can do to create a site to make it work. No sites will work to administrator, no matter what I do in the local site.

Tried flushing cache, start/stop IIS7 and CF11. Finally figured I could accomplish what I wanted by going to the site and blocking directories.

Report · Jun 26, 2014

If you are blocking the URI "/CFIDE" globally then step 3 would fail because of that, even if you unblock /CFIDE/administrator or say allow uri /CFIDE/administrator You have to remove the block for /CFIDE at the testsite level as well.

Adobe Community

Request Filtering