Hi,
Recent pen testing has discovered that it is possible to bypass logging in to gain access to the cfcexplorer with the following steps:
1.) Go to the COLDFUSION cfcexplorer
http://<domain-name>/CFIDE/componentutils/cfcexplorer.cfc
2.) Click login without specifying a password
When this is done an page displaying an error message results: and a ? is then appended to the url
3.) Press the browser back button and manually add the ? to the url and click login again.
http://<domain-name>/CFIDE/componentutils/cfcexplorer.cfc?
You will now gain access to the cfc explorer.
Is this a known problem that has a patch?