7 Replies Latest reply: Oct 22, 2014 8:14 AM by tishward

Coldfusion ignoring NTFS permissions

tishward Mar 7, 2014 1:27 PM

I have seen a few older posts that have presented this same issue, but there was no resolution in the thread. I have posted on those threads asking if they found a solution, however thought I would present the issue myself and hopefully someone has a fix/workaround.

CF10, W2008R2, IIS 7.5. Using a group with NTFS permissions and trying to limit the access to the pages. Anyone can view the page if putting in a username and password in the Windows security popup, click ok and immediately prompted again, click cancel and you can see the page contents. Tested with an html page and html page is blocked properly. It is my understanding that IIS passes the control to cf, cf diplays the cfm page.

Since this is IIS 7.5, the checkbox for check if file exists that was working in IIS6 isn't there any longer, it is now items under Handler Mappings. I saw in one thread dscussion about editing a wildcard mapping, but it was vague, and didn't have the settings I need to fix this, or I did not understand based on what I see on our server. I have set the .cfmHandler to "file" , and that did not work. I do not see a wildcard handler in the name column, however there are * in the path column, so it wasn't clear what really is the magic wildcard mapping I am looking for.

I cannot believe this issue has existed since IIS7, and there is no clear guidance on the topic. Someone has to have figured it out... bypassing NTFS permissions and not being able to restrict access to a group is not a small issue, in my opinion anyway. I have searched all over the place, hopefully someone here knows what the magic answer is...

Thanks!

Tanya

1. Re: Coldfusion ignoring NTFS permissions

Carl Von Stetten Mar 7, 2014 1:44 PM (in response to tishward)

Tanya,

This may not be what you want to hear, but I don't think you can get CF to play by NTFS rules with IIS 7+. Since IIS hands off processing to .cfm/.cfc files to ColdFusion, it can't enforce NTFS permissions. I think CF developers typically rely on a security system within their ColdFusion application to determine who can access which .cfm files or folders. So programatically you check the credentials of the user and determine if they are supposed to be able to access a particular .cfm file, and redirect them if they are not. Some use the <cflogin> features of ColdFusion; others roll their own.

I could be completely off about this, though. Do you use Application.cfc in your apps, or Application.cfm? That may have a bearing as well.

-Carl V.
Like Show 0 Likes (0)

Actions
2. Re: Coldfusion ignoring NTFS permissions

tishward Mar 10, 2014 6:22 AM (in response to Carl Von Stetten)

I should be more specific. I know CF has always been this way. In IIS6 you could force IIS to make sure the file exists and then pass control to CF. In IIS7.5, that checkbox is gone. I want IIS to check perms before passing to CF. Has anyone managed to get this to work, and if so, what was the solution? I am an admin, not a developer.
Thanks!
Like Show 0 Likes (0)

Actions
3. Re: Coldfusion ignoring NTFS permissions

vishu#13 Mar 11, 2014 3:11 AM (in response to tishward)

Tanya,

Drop an e-mail to ColdFusion support team (cf.install@adobe.com)

Thanks
VJ
Like Show 0 Likes (0)

Actions
4. Re: Coldfusion ignoring NTFS permissions

tishward Oct 15, 2014 11:42 AM (in response to vishu#13)

CF10 Update 14 was just released. I tried responding to the support email addresses used earlier this year for this issue, including the one you told me to use then, and all of them bounce back. I was forwarding our conversation history so they can tell me if it will break what we fixed. Please tell me how to forward the conversation/fix history to a good email address with my questions.

Thanks!
Like Show 0 Likes (0)

Actions
5. Re: Coldfusion ignoring NTFS permissions

tishward Oct 22, 2014 8:01 AM (in response to vishu#13)

Hello?? Anyone there? I have honored Support's request to not discuss the solution in public, so I would appreciate a response from Support so I can ask my questions about CF10 Update14 potentially breaking this again before I install the update. I do NOT see where it is listed in the fix list for this update. Maybe I missed it. If it isn't fixed, I will be extremely disappointed. I tried all of the email addresses used earlier this year to contact Support and all failed.

Thank you!
Tanya
Like Show 0 Likes (0)

Actions
6. Re: Coldfusion ignoring NTFS permissions

Anit Kumar Panda Oct 22, 2014 8:06 AM (in response to tishward)

Hi Tanya,

The email address is still the same cfinstal<AT>adobe<DOT>com. NTFS permission is not fixed in CF10 Update 14. Here is the list of bug fixes in this release Bugs fixed in ColdFusion 10 Update 14.

Regards,
Anit Kumar
Like Show 0 Likes (0)

Actions
7. Re: Coldfusion ignoring NTFS permissions

tishward Oct 22, 2014 8:14 AM (in response to Anit Kumar Panda)

Tried emailing yet again, we shall see if it bounces back like it did last week.

I am extremely disappointed that this issue was not fixed in this update. It is a HUGE security issue! We can't be the only people who noticed it. It needs to be taken SERIOUSLY!
Like Show 0 Likes (0)

Actions