How NOT To Do Directory Security

development (This post is more than 2 years old.)

Recently a coworker noticed a web site where the owners had forgotten to secure their administration folder. (He was able to get to the folder by guessing.) He immidiately emailed them to let them know about the problem.

The site promptly closed up the directory.... but only if you requested http://theirurl/thefolder. If you went to http://theirurl/thefolder/default.aspx, you could still get right in.

Something you may want to check on your own sites!

Hire Me!

I'm currently looking for my next role in developer evangelism and advocacy. I have a long history of helping companies work with developers and love to write, create demos, and present at conferences. You can find my resume to learn more and drop me an email (raymondcamden@gmail.com) to reach out.

Support this Content!

If you like this content, please consider supporting me. You can become a Patron, visit my Amazon wishlist, or buy me a coffee! Any support helps!

Want to get a copy of every new post? Use the form below to sign up for my newsletter.

Archived Comments

Comment 1 by tony petruzzi posted on 7/22/2005 at 10:59 PM

This is why you should always use a combination of OS and CF security on an administrative backend. To give an example:

On all of the websites I administrate we use IIS on W2K. So for the admin directory we configured IIS to not allow anonymous access and to use WINNT Intergrated security. This means that someone must have an account on the domain or the machine in order to even get to the application's login page. Then we have seperate accounts for the application and use client variables within CF to secure it.

This provides two layers of security. So even if someone has an account on the domain or the machine, unless they have an account within the application, they can't get in.

Comment 2 by Christopher Wigginton posted on 7/22/2005 at 11:26 PM

It's times like those that you really appreciate the power application.cfm/application.cfc

Comment 3 by James posted on 7/22/2005 at 11:46 PM

It always amazes me how many sites leave their admin front ends, open for the world to see. It's an easy case of just appending /admin to some url's, and up comes their cms / website admin page.

Comment 4 by justin posted on 7/23/2005 at 2:16 AM

But as long as you have good security in play shouldn't it not be much a problem to let a user see a login box?