I’ve been playing a little with the <cfcalendar> tag in an app I’m working on. It seems that for the Flash to be usable, you need a /CFIDE mapping on your server. Which is all well and good, except that on a production-level server, you’re a certifiable nutjob if you have a live /CFIDE, as it opens up access to the CF Administrator. If you need access to the CF Administrator, and therefore to /CFIDE, it should be on a separate virtual server which:
- responds on a different, preferably non-routable, IP address
- is mapped on a non-standard TCP port
- is turned off unless you are actually changing the CF server settings right now
Now, unless there’s a way to shut off CF Administrator access (short of deleting the administrator directory or IP-limiting it) that I don’t know about (and I’m happy to be proved wrong), having to map /CFIDE on your servers is a significant security risk. It’s certainly not one I’d be prepared to take.
This issue has been mentioned in a number of TechNotes (1, 2) and articles (1, 2 – the second is particularly good and very thorough) at Macromedia, but I’m not reassured that most people setting up ColdFusion servers will read these and take the right action. To my mind, it would be better to have another external directory containing all these assets (Flash tools, Java applets, etc.) which a developer might drop into their app. Keep that directory well away from the /CFIDE.
