Adobe® ColdFusion® 10 Server Lockdown Guide
Adobe® ColdFusion® 10 Server Lockdown Guide Adobe® ColdFusion® 10 Server Lockdown Guide
MessageBrokerServlet /flex2gateway/* FlashGateway /flashservices/gateway/* 6.6 Disabling Flash Form Servlet Mappings If you are not using Flash forms ()you can disable the servlet mappings used to serve flash forms. Remove flash form servlet mappings: CFFormGateway /CFFormGateway/* CFInternalServlet /cfform-internal/* CFSwfServlet *.cfswf 6.7 Disabling the CFReport Servlet Mapping 78
If you are not using the cfreport you can change the servlet mapping for *.cfr to point to the CFForbiddenServlet, this servlet will return 403 forbidden response if a cfr file is requested: CFCServlet *.cfr Change to: CFForbiddenServlet *.cfr Be sure to remove the .cfr mapping on the web server. 6.8 Remove WSRP Servlet Mapping The WSRP Servlets and Filters are used to support Web Services for Remote Portlets, a SOAP based API for serving portlets. If this feature is not used the web services Remove the WSRPFilter Servlet Mapping: WSRPProducer /WSRPProducer/* 6.9 Disabling the CFFileServlet Mapping The CFFileServlet is used to serve dynamically generated assets. It is used to support the following tags cfreport, cfpresentation, and cfimage (with action=captcha and action=writeToBrowser). If you are not using these features you may remove the servlet mapping: 79
- Page 27 and 28: 2.3 Prerequisites for a RedHat Ente
- Page 29 and 30: Create a user for ColdFusion to run
- Page 31 and 32: SSLRequireSSL The above requires t
- Page 34 and 35: Do not install ColdFusion 10 ODBC S
- Page 36 and 37: Select an install directory, a non-
- Page 39 and 40: Choose a strong password and unique
- Page 41 and 42: Section 4 - Post ColdFusion Install
- Page 43 and 44: 4.1.3 Specify Log On User for ColdF
- Page 45 and 46: When the ColdFusion IIS connector i
- Page 47 and 48: 4.1.8 Remove Unused Handler Mapping
- Page 49 and 50: without these settings enabled so y
- Page 51 and 52: -bin /usr/sbin/httpd \ -script /etc
- Page 53 and 54: # cp jvm.config jvm.config.backup T
- Page 55 and 56: connectionTimeout="20000" redirectP
- Page 57 and 58: Section 5: ColdFusion Administrator
- Page 59 and 60: Setting Default Recommendation Desc
- Page 61 and 62: Setting Default Recommendation Desc
- Page 63 and 64: 5.2 Server Settings > Request Tunin
- Page 65 and 66: 5.3 Server Settings > Client Variab
- Page 67 and 68: Setting Default Recommendation Desc
- Page 69 and 70: 5.8 Debugging & Logging > Debug Out
- Page 71 and 72: 5.11 Event Gateways > Settings Sett
- Page 73 and 74: 5.15 Security > Allowed IP Addresse
- Page 75 and 76: Section 6: ColdFusion Server Servic
- Page 77: JWS Files are Java Web Services fil
- Page 81 and 82: Note: it is important that you do n
- Page 83 and 84: Section 7: Patch Management Procedu
- Page 85 and 86: Appendix B: List of Acronyms Acrony
- Page 87: Written by Pete Freitag For more in
If you are not using the cfreport you can change the servlet mapping for *.cfr to point to the<br />
CFForbiddenServlet, this servlet will return 403 forbidden response if a cfr file is requested:<br />
<br />
CFCServlet<br />
*.cfr<br />
<br />
Change to:<br />
<br />
CFForbiddenServlet<br />
*.cfr<br />
<br />
Be sure to remove the .cfr mapping on the web server.<br />
6.8 Remove WSRP Servlet Mapping<br />
The WSRP Servlets and Filters are used to support Web Services for Remote Portlets, a SOAP based API for<br />
serving portlets. If this feature is not used the web services<br />
Remove the WSRPFilter Servlet Mapping:<br />
<br />
WSRPProducer<br />
/WSRPProducer/*<br />
<br />
6.9 Disabling the CFFileServlet Mapping<br />
The CFFileServlet is used to serve dynamically generated assets. It is used to support the following tags<br />
cfreport, cfpresentation, and cfimage (with action=captcha and action=writeToBrowser). If you are not using<br />
these features you may remove the servlet mapping:<br />
79
Change language