http://coldfusion.com logo
Join Slack
Powered by
The fundamental problem is that to break out of th...
# fw1
c
The fundamental problem is that to break out of the FW1 framework, one must place an Application.cfc, inside the directory, you wish to access, and the mapping to the:
Copy code
/WEB-INF/ucee/context
Does not have an Application.cfc inside either the 
WEB-INF
or 
lucee
directories, so this maybe the issue? The first Application.cfc occurs in the:
Copy code
/WEB-INF/ucee/context
c
I think the problem goes all the way back to your rewrite rule in your web.config. You might need to change the regex on your match to exclude any path that starts with 
/lucee/
. Otherwise, it's going to always inject 
/index.cfm/
to the front of every URL.
@Charles Robertson ☝️
Or better yet, add another condition that negates Lucee's admin. Probably something like 
^/lucee/.*$
.
c
@cfvonner Cheers. I will give it a go and let you know the outcome.
So like:
Copy code
<conditions>
    <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
    <add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
    <add input="{REQUEST_URI}" pattern="^.*\.(bmp|css|gif|htc|html?|ico|jpe?g|js|pdf|png|swf|txt|xml|map)$" negate="true" />
    <add input="{REQUEST_URI}" pattern="^.*type=png$" negate="true" />
    <add input="{REQUEST_URI}" pattern="^/lucee/.*$" negate="true" />
</conditions>
c
Yeah. Although you might see if prefixing the regex with the carat symbol would work. That would be more precise.
👍 1
c
Amazing! Thanks for your help 🙂
c
Excellent. Now, having solved that issue, I'd be very careful about making the Lucee Admin accessible to the internet. Best practice is to not do that, for security reasons.
c
I have always wondered about this. What is the difference of logging into the Lucee Web Admin with a username & password and any other CMS login? Let’s face it, most of us have hundreds of services that we log into, online. Why is Lucee Web Admin, any more important or any more vulnerable? 🤔
And this assumes, the Lucee Web Administrator doesn’t use a password like P@ssw0rd 😊
I must say I am a little concerned about moving my WEB-INF, above the webroot, because of this: https://luceeserver.atlassian.net/plugins/servlet/mobile?originPath=%2Fbrowse%2FLDEV-3339#issue/LDEV-3339 I know how to do it, because I had to do this, in my last contract for City & Guilds: web.xml
Copy code
<init-param>
		<param-name>lucee-web-directory</param-name>
		<param-value>C:\lucee\contexts\{web-context-label}\</param-value>
		<description>…</description>
</init-param>
It worked successfully at C&G, but that may have been because we did this before we started the server for the first time, after setting up the website. I am a little concerned about the outcome now, because my websites have been running for sometime now. A change like this, could actually make the Lucee Admin completely inaccessible to everyone, including me. 😵‍💫
a
I've done it with tunnels in the past - been a while though. The idea is that you tunnel into your server using something like ssh and then you can access the admin. That was on a linux vps and I haven't run one for many years so can't recall exactly how I set it up.
c
Yes. I heard about SSH, but to be honest, if I was a hacker, I would be more focused on bypassing the Windows Server security, rather than the Lucee Admin Security. I just don’t understand how a hacker is going to get around the Lucee Admin Security, if administrators set strong passwords. I guess the argument is that, if you can access the Lucee Admin locally then, it is better to do so, but that doesn’t make it as flexible, because I can no longer access it, if I don’t have RDP access.
Currently I access my VPS, via RDP, and then, I access the Lucee Admin, internally. But, if I am in a situation, when I need to access via a web browser, then I will have a problem, if I lock it down. Let’s say I am on holiday and I don’t have RDP access and my websites go down, because a DSN setting in the Admin, needs tweaking, then I have a problem. Now, this maybe an edge case but, I am wondering why Lucee Admin, is any less secure than any other CMS?
a
Basically it's all about reducing the surface area of attack vectors (so how much is exposed). So it is recommended that you lock it down, but it's your choice if you want it exposed.
I had a app on my phone so I could tunnel into my linux server via ssh and then run a command to restart the web server etc. I don't know if that's an option with RDP. I assume you don't take your laptop on holiday with you?
It was a bit fiddly on a phone but worked just fine when I had to do it that way.
c
I already use RDP on my iPhone, which is great, although it’s not ideal looking at my Windows Server desktop on a tiny screen. I just think, access flexibility should be a consideration, when deciding to lock down or not.
a
Can you run scripts via RDP connection? - I guess you have Lucee running as a windows service - so you don't really need a desktop UI
c
Trust me, I need a UI 😃
Yes. I use Windows Server 2019
a
Ha, yeah. I just thinking for the odd time when you need to restart your Lucee server and you're out shopping or whatever.
👍 1
c
I tried using the Linux Commandline, once and my brain nearly exploded. It took me about an hour, to create a single shortcut. But I take your point, I could open the Lucee Admin directly via RDP etc 🙏
a
Open in Slack
PreviousNext
Powered by