tracker issue : CF-3732913

This has come up repeatedly over a number of years.

ColdFusion exposes /CFIDE by default, which is bad, and absolutely should not be the case.

However because Adobe have homed the resources for CFUI tags (<cfform> etc) in /CFIDE, a lot of people think they "need" to have that exposed to use these tags. Obviously the - poorly named - <cfajaximport> tag can be used to point these tags at a different location for their resources, but this is a poor approach to dealing with an issue that shouldn't really need to exist.

Just put the stuff for CFUI tags somewhere else! Move them outside /CFIDE. But them in /cfresources or something. Basically follow good web practices and only expose things to the outside world that are *supposed* to be exposed to the outside world.

I think Adobe needs to step up and be a bit more of a facilitator when it comes to streamlining people's efforts to secure their servers.

This should not be too hard to achieve, and not have many knock-on effects? I'm just wondering about any "backwards compat" issues Adobe might claim as grounds to not do this. I think in this case, product stability and reputation, and being seen to be doing something about ColdFusion's security perceptions should quite possibly trunk "backwards compat" concerns?

I'm raising this as a bug not an E/R as it's just wrong to have this stuff coupled with the administrator / API / etc

-- 
Adam

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3732913

External Customer Info:
External Company:  
External Customer Name: Adam Cameron.
External Customer Email:  
External Test Config: My Hardware and Environment details:

Attachments:

Comments: