This article goes over securing CFIDE for ColdFusion against malicious uploads (http://www.adobe.com/support/security/advisories/apsa13-01.html)
Update 1/16/2013: Adobe has issued a patch (http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb13-03.html). Edge Web Hosting still recommends locking down ColdFusion below in addition to applying the patch.
Update 5/15/2013: Due to recent changes in security on Edge's network, all CF Admin requests are locked down to internal connections only (i.e. from RDC or through an SSH Tunnel for Linux)
Note that if you are adding a new site to the server, you will need to follow the steps below for securing the CFIDE directory.
- Log into the server via Remote Desktop.
- Open Internet Information Services (IIS) and expand the websites. Find the CFIDE virtual directory for each website and select it. Expand the CFIDE virtual directory and lock down the following directories: administrator, adminapi and componentutils.
- Click the button for IP Address and Domain Restrictions and choose Add Allow Entry...from the sidebar.
- Enter in 127.0.0.1 for all three directories and 69.63.128.150 for the administrator directory only (EWH IP address) as the allow entries. Do this for all three folders, administrator, adminapi and componentutils. This will allow only localhost to view those directories thereby preventing malicious uploads to the directories. You must do this for each CFIDE directory on the server/for each website in IIS with the directory. Note that if your server is behind a firewall, you may need to add your internal IP address range of the server to the list.
- Log into the server via Remote Desktop.
- Open Internet Information Services (IIS) and expand the websites. Find the CFIDE virtual directory for each of the websites on the server. Expand the CFIDE virtual directory and lock down the following directories: administrator, adminapi and componentutils. Right-click those directories and choose Properties.
- Choose the Directory Security tab and click Edit next to IP address and domain name restrictions.
- Select Denied Access and click the Add button. Enter in 127.0.0.1 for both directories and 69.63.128.150 for the administrator directory only (EWH IP address). Click OK to get out of the popup windows.
- Do this for all three folders, administrator, adminapi and componentutils. This will allow only localhost to view those directories thereby preventing malicious uploads to the directories. You must do this for each CFIDE directory on the server/for each website in IIS with the directory. Note that if your server is behind a firewall, you may need to add your internal IP address range of the server to the list.
- SSH into the server and become root. Open the Apache configuration file for all sites (http.conf) and add the following to the file.
<LocationMatch "/CFIDE/administrator/"> order deny,allow deny from all #allow from local and EWH allow from 127.0.0.1 allow from 69.63.128.150 </LocationMatch>
<LocationMatch "/CFIDE/adminapi"> order deny,allow deny from all #allow from local and EWH allow from 127.0.0.1 allow from 69.63.128.150 </LocationMatch>
<LocationMatch "/CFIDE/componentutils"> order deny,allow deny from all #allow from local and EWH allow from 127.0.0.1 allow from 69.63.128.150 </LocationMatch>
- Save the file and restart Apache.
|
No comments:
Post a Comment