How NOT To Do Directory Security

4

Posted in Development | Posted on 07-22-2005 | 1,445 views

Recently a coworker noticed a web site where the owners had forgotten to secure their administration folder. (He was able to get to the folder by guessing.) He immidiately emailed them to let them know about the problem.

The site promptly closed up the directory.... but only if you requested http://theirurl/thefolder. If you went to http://theirurl/thefolder/default.aspx, you could still get right in.

Something you may want to check on your own sites!

Comments

[Add Comment] [Subscribe to Comments]

tony petruzzi said on 07-22-2005 at 1:59 PM #

This is why you should always use a combination of OS and CF security on an administrative backend. To give an example:

On all of the websites I administrate we use IIS on W2K. So for the admin directory we configured IIS to not allow anonymous access and to use WINNT Intergrated security. This means that someone must have an account on the domain or the machine in order to even get to the application's login page. Then we have seperate accounts for the application and use client variables within CF to secure it.

This provides two layers of security. So even if someone has an account on the domain or the machine, unless they have an account within the application, they can't get in.

Christopher Wigginton said on 07-22-2005 at 2:26 PM #
	It's times like those that you really appreciate the power application.cfm/application.cfc

James said on 07-22-2005 at 2:46 PM #
	It always amazes me how many sites leave their admin front ends, open for the world to see. It's an easy case of just appending /admin to some url's, and up comes their cms / website admin page.

justin said on 07-22-2005 at 5:16 PM #
	But as long as you have good security in play shouldn't it not be much a problem to let a user see a login box?