Discussion:
Protecting Application.cfm
(too old to reply)
lovewebdev
2009-03-21 02:56:34 UTC
Permalink
What security measures can we take to protect the Application.cfm file. We
usually keep database login and password info obviously and other password
info. Is there really nothing else to do except knowing that no one should
access the actual file? thanks!
Azadi
2009-03-21 06:27:43 UTC
Permalink
have you tried to access your Application.cfm file directly?
go ahead and try it.

Azadi Saryev
Sabai-dee.com
http://www.sabai-dee.com/
Dan Bracuk
2009-03-22 15:33:03 UTC
Permalink
[q][i]Originally posted by: [b][b]lovewebdev[/b][/b][/i]
What security measures can we take to protect the Application.cfm file. We
usually keep database login and password info obviously and other password
info. Is there really nothing else to do except knowing that no one should
access the actual file? thanks![/q]
Why do you have database login information and other passwords there?
lovewebdev
2009-03-22 15:51:52 UTC
Permalink
[q][i]Originally posted by: [b][b]Dan Bracuk[/b][/b][/i]
Why do you have database login information and other passwords there?
[/q]

Well, the login and password must be in the <cfquery> tag on any given page
that queries the db. We just put it in a application variable instead of on
every single database driven page.

When you try accessing application.cfm from the browser you get:



nvalid request of Application.cfm, Application.cfc or OnRequestEnd.cfm file.
You have requested a page with the name application.cfm. This file name is
reserved by the ColdFusion engine for the specification of application level
settings and therefore cannot be directly requested from a web client.
Dan Bracuk
2009-03-22 16:34:57 UTC
Permalink
You can use the admin page to set up your datasources so you don't need login
info in any file.

Why do you need to put password's in cfmail tags? I use that tag somewhat
frequently and didn't even know there was a password attribute.
Azadi
2009-03-23 01:53:11 UTC
Permalink
@Dan: password in <cfmail> tag: some mail servers require full
authentication to send/relay messages, and one must then provide smtp
server name, username and password in cfmail tag. of course, you can set
this up in cf admin if you are only using ONE mail server for all the
websites hosted on same cf server...

@lovewebdev: as you can see, one CAN'T view Application.cfm file in
their browser. it's a special file that CAN'T be requested directly - it
is only processed internally by CF before any other page request.

Azadi Saryev
Sabai-dee.com
http://www.sabai-dee.com/
larryclyons
2009-03-23 13:07:45 UTC
Permalink
Post by lovewebdev
What security measures can we take to protect the Application.cfm file. We
usually keep database login and password info obviously and other password
info. Is there really nothing else to do except knowing that no one should
access the actual file? thanks!
What are you trying to do? If you try to access Application.cfm over
the web all you'll get is an exception, as someone else mentioned. As
for physical access to the Application.cfm file, if an unauthorized
person has access to the drive where that file is, then you've got far
more serious problems than simple access.

regards,
larry
lovewebdev
2009-03-27 17:53:24 UTC
Permalink
Yes thank you. I guess if I was on a dedicated server I could put all the info directly into the administrator.

Anyone know of a very affordable dedicated server hosting with CF and sql server?
Loading...