Block direct access to xml configuration files

Posted At : November 29, 2007 1:00 PM | Posted By : Mark
Related Categories: ColdFusion,Apache

I realized today that the configuration files for some ModelGlue apps I'm running are basically exposed to the public if someone can get the path and filename. The reason is that I'm using ColdFusion for server-side processing, authentication and authorization, but that only protects files that end in .cfm. Since my configuration files typically end in .xml, they can be directly accessed on the web.

Since I'm running Apache, the fix was quite simple. Place the following code into a .htaccess file at the root of your application (or higher if possible). Subfolders will automatically look up the tree to find the .htaccess files.

<Files ~ "\.xml$">
Order allow,deny
Deny from all
Satisfy All
</Files>

Now when you try to access the xml configuration file, the web server returns a 403 - Forbidden error and doesn't display the file. Note that the ColdFusion apps can still read them since they typically access the file more directly on the file system than through the http protocol.

Comments (5) | Print | Send | del.icio.us | Digg It! | Linking Blogs | 2390 Views
Comments (Comment Moderation is enabled. Your comment will not appear until approved.)
[Add Comment]
I think the standard practice is to put .cfm after the xml files. ColdFusion gets it. Then you put an application.cfm with a simple <cfabort> in the config folder containing your xml files.
# Posted By Justin | 11/29/07 2:00 PM
What about using XML with Spry? Granted usually it's a cfm that serves up the xml, but technically you could use a static xml file for Ajax-y stuff.

Couldn't you have renamed the xml files .xml.cfm? Thats what I've done in the past. Is that not secure? Just wonderin...
# Posted By todd sharp | 11/29/07 2:34 PM
That's a great tip Mark. At work, we use SIteMinder to manage user access throughout the site. All we have to do is restrict access to any /config/ folder from the public.

However, on my Linux server, I resorted to "CHMOD"ding the file to restrict public user access. Your solution seems much more elegant, especially for people who don't have CHMOD access.
# Posted By Adrian J. Moreno | 11/29/07 3:54 PM
Two other possible solutions:

1. put all the config files outside the webroot (not possible on shared hosting but recommended in other scenarios - I have almost no code under webroot when I'm on a dedicated box)

2. use .xml.cfm file extensions - tell your editor about the mapping (easy) and have Application.cfc ensure requests to non-index.cfm files are blocked / redirected. This is what Fusebox has always done.

The Apache trick is good until you publish an XML file for folks to download...
# Posted By Sean Corfield | 11/30/07 11:06 AM
Justin: Agreed, but this is an existing Model Glue 1.0 app. So without digging through the core of MG, this was a simple way to block access.

Todd: If the xml file is on the file system, it could still be directly accessed if one knows the location (as is common for open-source apps!).

Sean: Yes, #1 would certainly work and probably be the safest long term.

My goal for this was to not change to the application at all to make the xml files secure from those who may try to access them directly.
# Posted By Mark Mazelin | 11/30/07 11:36 AM
[Add Comment]
BlogCFC was created by Raymond Camden. This blog is running version 5.8.