2

So, I decided to try to break my website...I googled my site by typing in site:mysite.com/whatever and behold, all of the users uploaded files were available for view under a specific directory.

What kind of script/ counter measure should I use to block these files from being viewed? I already have a script that checks the path and the logged in status, however this doesn't seem to be working. I've looked all over for solutions...but I can't quite find one. I'm using ColdFusion 8.

James A Mohler
  • 11,060
  • 15
  • 46
  • 72
Bri
  • 729
  • 2
  • 17
  • 38

2 Answers2

6

This isn't a ColdFusion issue so much as a web server configuration issue.

You should either:

  • configure your web server not to show a directory of files when using a URL without a filename (e.g., http://www.example.com/files/)

  • drop a blank default web document (index.html, index.htm, default.htm, index.cfm, whatever) into that directory so that it displays that document rather than the list of files. If you use index.cfm, it'll fire your Application.cfm/cfc in your file path and use whatever other security you've built.

(or, better, do both)

ale
  • 6,369
  • 7
  • 55
  • 65
  • 1
    This is called Directory Browsing and you should turn it off in IIS or Apache depending on your webserver. – Sean Coyne Jun 01 '11 at 15:31
  • Actually, because other web services pull from my web directory files...I can't require login for files, but I guess it doesn't matter since the files are public to students anyway. – Bri Jun 01 '11 at 18:05
  • 1
    If the files are public then why hide them? Search engines finding your files is a feature! This really doesn't sound like a security issue at all. – bpanulla Jun 01 '11 at 19:59
  • @bpanulla Yeah, that is what I was trying to say. I thought it was a security risk, but then I realized they are allowed to be public. However, this information was useful to me regardless. :) – Bri Jun 03 '11 at 14:55
6

The best way to secure your file listings and the files themselves is to store them in another folder outside of the Web site root folder. You can then serve them up using CFDIRECTORY and CFCONTENT. The pages that display the files can check your access controls and only serve the files to those allowed to see them.

bpanulla
  • 2,988
  • 1
  • 19
  • 23
  • 2
    Plus the fact that if your web root is under source control you aren't worrying about wiping uploaded files if you re-deploy your website. – Ciaran Archer Jun 01 '11 at 18:09