ColdFusion (.cfm) Files Prompting to Download or Downloading to Browser

ColdFusion
#1

Overview

There is a rare issue where ColdFusion (.cfm files) will download templates to the browser rather than running them or show the CFML code as plaintext. This can result in information disclosure since portions of your code may be exposed to unauthorized users. This article is being created to go over what steps can be taken when this problem occurs on a Hostek ColdFusion Server.

What causes ColdFusion templates to download to the browser?

Technically, this isn’t an issue with ColdFusion at all but is instead an issue with the connector that ColdFusion is using to communicate with the webserver being used on the server. When ColdFusion is unable to communicate with the connector being used by the webserver all ColdFusion requests will begin downloading to browser or returning as plaintext. In this guide, we will go over scenarios for Windows and Linux and what can be done to solve them on a Hostek ColdFusion Server.

Windows

This issue rarely occurs in Windows since the connector configuration for a website is handled by Hostek’s Windows control panel. In Windows, the ColdFusion connector is known as the ISAPI connector which is defined in a website’s ISAPI Filters within IIS. The ISAPI connector is the default choice in ColdFusion and what is supported by Adobe. The ColdFusion ISAPI connector is a fork of the official Tomcat ISAPI connector, with some custom extensions to the AJP protocol. When ColdFusion templates are downloading to the browser rather than being executed you will need to check the following location in IIS to ensure the correct configuration is being specified.

  • ISAPI Filters
    Name: Tomcat
    Path : C:\ColdFusion2018\config\wsconfig\1\isapi_redirect.dll

In this article, we will use ColdFusion 2018. The CF2018 connector configured should point to C:\ColdFusion2018\config\wsconfig\1\isapi_redirect.dll. If this connector is not present it will need to be added to the IIS web server using the WSConfig utility located in the following path: C:\ColdFusion2018\cfusion\runtime\bin\wsconfig.exe.

If there is already a ColdFusion connector being defined in the WSconfig utility for your website, then you will need to create an ISAPI Filter manually under your website within IIS. This can be done by opening IIS on your server and navigating to Your domain name -> ISAPI Filters -> 'Add...' located in the top right-hand corner. You would need to specify the ISAPI Filter configuration listed in the above bulletin.

Isapifilter
Isapifilter.png1710×1003 31.1 KB

Adobe’s official docs on the manual connector configuration for IIS can be viewed here.

If you’re still encountering issues with your templates processing correctly then please contact our support team so that we can further assist you.

Linux

Our ColdFusion on Linux/cPanel packages come bundled with Apache and is relying on the Mod_JK connector. The mod_jk connector will rarely experience issues unless there has been a change made to Apache that would wipe out the connector configuration. Most commonly this issue occurs when an EasyApache upgrade is performed from 3 to 4. When this occurs we will need to re-apply the configuration that mod_jk is relying on within Apache. This can be done by accessing your WHM interface and searching for Apache Configuration. From here you will need to access the Include Editor which can be used to specify the Mod_JK connector configuration ColdFusion is depending on. When in the include editor click Pre Main Include and specify the following:

<Proxy *>
Allow from 127.0.0.1
</proxy>
ProxyPreserveHost On
ProxyPassMatch ^/(.+\.cf[cm])(/.*)?$ ajp://127.0.0.1:8009/$1$2
ProxyPassMatch ^/(.+\.cfchart)(/.*)?$ ajp://127.0.0.1:8009/$1$2
ProxyPassMatch ^/(.+\.cfml)(/.*)?$ ajp://127.0.0.1:8009/$1$2
ProxyPassReverse / ajp://127.0.0.1:8009/

Note: If you’re using a custom installation of ColdFusion on Linux you will need to replace port 8009 with the correct AJP port, which you can find in the ColdFusion service’s server.xml configuration file. /opt/coldfusion[version]/cfusion/runtime/conf/server.xml.

ApacheConfiguration
ApacheConfiguration.png1241×747 69.4 KB

If you’re still encountering issues with your templates processing correctly then please contact our support team so that we can further assist you.