Block direct access to xml configuration files

Posted At : November 29, 2007 1:00 PM | Posted By : Mark
Related Categories: ColdFusion,Apache

I realized today that the configuration files for some ModelGlue apps I'm running are basically exposed to the public if someone can get the path and filename. The reason is that I'm using ColdFusion for server-side processing, authentication and authorization, but that only protects files that end in .cfm. Since my configuration files typically end in .xml, they can be directly accessed on the web.

Since I'm running Apache, the fix was quite simple. Place the following code into a .htaccess file at the root of your application (or higher if possible). Subfolders will automatically look up the tree to find the .htaccess files.

<Files ~ "\.xml$">
Order allow,deny
Deny from all
Satisfy All
</Files>

Now when you try to access the xml configuration file, the web server returns a 403 - Forbidden error and doesn't display the file. Note that the ColdFusion apps can still read them since they typically access the file more directly on the file system than through the http protocol.

Comments (5) | Print | Send | del.icio.us | Digg It! | Linking Blogs | 1857 Views

CFUnited 2005 - Day 2 - post 1

Posted At : June 30, 2005 3:28 PM | Posted By : Mark
Related Categories: ColdFusion,Apache,CFUnited

Day 2 of this ColdFusion event is turning out to be another great day. This morning we had an interesting keynote from a Microsoft rep named Bill. No, not Bill Gates, but the less known Bill Staples. He talked about many cool new features in the upcoming IIS7. It doesn't apply much to my work at Cedarville since we run Apache on Linux for our main web servers.

While Ray Camden had good things to say about IIS7, I found it interesting that many of the things he was discussing have been available in some form in Apache. One of the biggest new features is the ability to send a webapp-specific config file that allows module, user, default-file, etc. configuration per directory. Apache has been doing this for years (forever?) using .htconfig files. I find it ironic that IIS is just now catching up with Apache in this area.

Print | Send | del.icio.us | Digg It! | Linking Blogs | 945 Views
BlogCFC was created by Raymond Camden. This blog is running version 5.8.