Web Trenches

Lucee Administrator Insecure by Default

Just a tip for those installing Lucee with the IIS connector… it is NOT secure by default.  When you add a new IIS website, it will automatically create a folder for the Web context for that website.  The administrator screens in that context are NOT password protected.  I have not confirmed if this is true on other Web server platforms (Apache, etc).

It's easy to correct this issue.  In your server context administrator (http://{your domain}/lucee/admin/server.cfm), go to Passwords, then Set Default Password.  You can enter a password there that will be used for all new Web contexts.

I don't know why they would ever make this open by default, but that is how it is.

For more on securing Lucee, check out the Lucee lockdown guide.

Also, see Pete Freitag's Securing the Railo Context, which can be adapted for Lucee.

2 Replies to “Lucee Administrator Insecure by Default”

  1. Just a follow-up here. This is no longer true as of Lucee 5. The site contexts now use the server context password by default.

  2. You should put an edit in this article to say that this was changed years ago. I keep getting this old post in my search results for some weird reason in 2019/2020.

Leave a Reply

Your email address will not be published. Required fields are marked *