1 Reply Latest reply on Dec 3, 2015 6:47 AM by WolfShade

    ColdFusion web.xml exposed


      How can I prevent someone from downloading the web.xml file using a Nessus exploit. I do have access to the ColdFusion administrator and enabled several security settings but WEB-INF/web.xml can still be accessed.I have spent the last 2 hours trying to find the solution online.

      Sorry if that is an obvious setting but I don't know much about ColdFusion as I am a IBM Notes administrator...

        • 1. Re: ColdFusion web.xml exposed
          WolfShade Level 4

          Don't use the default CF installation settings for hosting.  It will default to {drive}/ColdfusionX/cfusion/wwwroot, and place the CFIDE folder and WEB-INF folder, there.  Whatever webserver you're using (Apache, IIS), set it (and CF server) to a different location, and map the CFIDE and WEB-INF directories in CFAdmin.


          A good idea would be to follow a Lockdown Guide, when setting up your CF server.  Charlie Arehart has a list of preferred guides.





          1 person found this helpful