• Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL
Help

Chapter 11. Using the Administrator API > Security Implications for the Admin A...

Security Implications for the Admin API

Before using the ColdFusion Admin API, certain security implications need consideration. Administrators must understand the potential for allowing unfettered access to the ColdFusion Administrator. ColdFusion secures the ColdFusion Administrator with a single password, which administrators should not provide to users. Administrators must also enable access to the Admin API code directory: /CFIDE/AdminAPI. This directory is installed by default, and the API modules are hard-coded to look for this path.

ColdFusion ServiceFactory

Soon after ColdFusion MX was released, developers learned how to access the ColdFusion ServiceFactory object, by using CreateObject() and <cfobject> calls to coldfusion.server.ServiceFactory. This Java object gives developers complete access to all ColdFusion server objects, including the Data Source, Licensing, Runtime, and Security Services. It also allowed developers to bypass the ColdFusion Administrator to configure data sources, debugging, and so on. Hackers could use it to disable the admin and RDS passwords and gain complete control over the server.


PREVIEW

                                                                          

Not a subscriber?

Start A Free Trial


  
  • Creative Edge
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint