Web Trenches

Lucee Administrator Insecure by Default

Just a tip for those installing Lucee with the IIS connector… it is NOT secure by default.  When you add a new IIS website, it will automatically create a folder for the Web context for that website.  The administrator screens in that context are NOT password protected.  I have not confirmed if this is true on other Web server platforms (Apache, etc).

It's easy to correct this issue.  In your server context administrator (http://{your domain}/lucee/admin/server.cfm), go to Passwords, then Set Default Password.  You can enter a password there that will be used for all new Web contexts.

I don't know why they would ever make this open by default, but that is how it is.

For more on securing Lucee, check out the Lucee lockdown guide.

Also, see Pete Freitag's Securing the Railo Context, which can be adapted for Lucee.

One Reply to “Lucee Administrator Insecure by Default”

  1. Just a follow-up here. This is no longer true as of Lucee 5. The site contexts now use the server context password by default.

Leave a Reply

Your email address will not be published. Required fields are marked *