tracker issue : CF-3732913

select a category, or use search below
(searches all categories and all time range)

Isolate the /CFIDE/scripts directory from the rest of /CFIDE

| View in Tracker

Status/Resolution/Reason: Closed/Deferred/EnhancementRequired

Reporter/Name(from Bugbase): Adam Cameron / Adam Cameron (Adam Cameron)

Created: 03/29/2014

Components: General Server

Versions: 11.0

Failure Type: Unspecified

Found In Build/Fixed In Build: PublicBeta /

Priority/Frequency: Trivial / Most users will encounter

Locale/System: English / Platforms All

Vote Count: 17

This has come up repeatedly over a number of years.

ColdFusion exposes /CFIDE by default, which is bad, and absolutely should not be the case.

However because Adobe have homed the resources for CFUI tags (<cfform> etc) in /CFIDE, a lot of people think they "need" to have that exposed to use these tags. Obviously the - poorly named - <cfajaximport> tag can be used to point these tags at a different location for their resources, but this is a poor approach to dealing with an issue that shouldn't really need to exist.

Just put the stuff for CFUI tags somewhere else! Move them outside /CFIDE. But them in /cfresources or something. Basically follow good web practices and only expose things to the outside world that are *supposed* to be exposed to the outside world.

I think Adobe needs to step up and be a bit more of a facilitator when it comes to streamlining people's efforts to secure their servers.

This should not be too hard to achieve, and not have many knock-on effects? I'm just wondering about any "backwards compat" issues Adobe might claim as grounds to not do this. I think in this case, product stability and reputation, and being seen to be doing something about ColdFusion's security perceptions should quite possibly trunk "backwards compat" concerns?

I'm raising this as a bug not an E/R as it's just wrong to have this stuff coupled with the administrator / API / etc


----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3732913

External Customer Info:
External Company:  
External Customer Name: Adam Cameron.
External Customer Email:  
External Test Config: My Hardware and Environment details:



hell to the yes.........................
Vote by External U.
12974 | March 29, 2014 11:41:27 AM GMT
Definitely should happen.
Vote by External U.
12975 | March 29, 2014 11:44:35 AM GMT
Please do this........................................
Vote by External U.
12976 | March 29, 2014 12:04:04 PM GMT
Don't put stuff that might need to be web-accessible in with stuff that should be secured away. Be secure by default - don't expect your users (who've come to ColdFusion because it's easy and they don't need to know much to get it up and running) to be able to figure out how to properly secure a server.
Vote by External U.
12977 | March 29, 2014 07:58:03 PM GMT
And when you allow us the option to rename the folder, in the admin, to use something like cfscripts instead, then make sure all the code looks for the new folder. I changed our default location, to lock down the cfide, and the debugger and other items still look in the /cfide/scripts/ folder instead of the new one defined in the admin. I wonder how many other items look in the wrong folder still. Do it by default, and make it work right.
Vote by External U.
12978 | March 29, 2014 11:16:56 PM GMT
+1 Make it so for security's sake.
Vote by External U.
12979 | March 30, 2014 12:47:40 AM GMT
For the exact reason stated in the ticket, these need to be moved.
Vote by External U.
12980 | March 30, 2014 01:04:14 AM GMT
We have done this on our own without performance issues. Now is the time.
Vote by External U.
12981 | March 30, 2014 06:58:08 AM GMT
Just writing text to add my 25 characters.
Vote by External U.
12982 | March 30, 2014 08:23:03 AM GMT
Nothing to add except to quote Nike: "Just Do It".
Vote by External U.
12983 | March 30, 2014 11:18:39 AM GMT
This seams like a reasonable fix. I would like to see it implemented.
Vote by External U.
12984 | March 30, 2014 08:41:23 PM GMT
Definitely needs to be done.
Comment by External U.
12972 | March 31, 2014 08:17:28 AM GMT
Definitely needs to be done.
Vote by External U.
12985 | March 31, 2014 08:25:24 AM GMT
What Adam said
Comment by External U.
12973 | April 05, 2014 08:43:01 AM GMT
Please fix this...….............
Vote by External U.
12986 | April 05, 2014 08:44:47 AM GMT
+1 for obvious reasons 1234567890
Vote by External U.
12987 | April 05, 2014 08:15:01 PM GMT
This has been requested for many years and Adobe's continued response is "there isn't enough time". Well, when will there be time? How many times does this security flaw have to bite Adobe before they find the time? One of the first things I do when when installing a new server is move and lockdown CFIDE and the scripts folder. It's even part of the Lockdown Guide so why not just fix this?
Vote by External U.
12988 | April 10, 2014 02:19:39 PM GMT
This has been asked for multiple times, mostly in regards to security. Please just get this done and not wait for another whole release cycle (i.e. get it done before 2016)
Vote by External U.
12989 | April 28, 2014 08:51:16 AM GMT
fix it, I don;t want to have to constantly wonder how the internals of CF are using this and what I should and shouldn't lock down.....
Vote by External U.
12990 | June 16, 2014 05:39:57 AM GMT