Disable Extension Upload functionality in Admin screen(LEX file)

As rightly point out, if someone get access to your admin you are screwed anyway, the admin provides hundersts of settings and every single one changed can kill your application. For example deleting all data sources or change/add some mappings.

Sure you could disable the possibility to upload .lex files, but where is the security gained?

if you want to do harm, there are much easier ways to execute whatever code you like when you have access to the admin, for example create a mapping to an external S3 resource (or GIT) and then simply call that code in the browser.

is right we already did discuss this years ago, but we saw that “locking down“ the admin brings no more security without seriously cripple the possibility Lucee provides. So we decided back then to move the admin (and the documentation) to an extension with the possibility to uninstall that extension.

so the most secure way is to simply uninstall the admin/documentation extension, you can always install it again, when you need it.

Just a heads up, if a change is ever made, it won't be against an old version of Lucee like 5.2.5.20

at the end of the day, if a hacker has already got logged in access to your Lucee admin, I'd say you're already screwed.

as Brad says, locking down access to the admin is a must, and you can always just add a web server rule to disable access to specific admin urls like /lucee/admin/web.cfm?action=ext.applications and /lucee/admin/server.cfm?action=ext.applications and the pages they submit to.

I would also always recommend moving your WEB-INF outside the webroot
https://docs.lucee.org/guides/installing-lucee/windows/installing-the-boncode-connector-and-mod_cfml.html#optional-relocating-web-inf-files-outside-the-web-root

Hi The functionality you speak of is designed on purpose to allow extensions to Lucee to be installed, which may add jars, run arbitrary code, register caches, data sources, tags, functions, and add additional UI plugins to the interface. So it sort of goes without saying, that such functionality could easily be used for malicious purposes if a hacker were to access your web administrator, which is why it is recommended to block all external access to this admin UI on your pubic servers

Now that said, I agree with you and I have said the same for years. I've suggested a better way to lock down the admin web UI for a long time, but the idea has never been taken up by the core developers as one worth considering. I thought I had a ticket in for this, but I can't find it. I've pointed out in the past that Adobe ColdFusion's worst zero days came from attack vectors inside their web admin, and it eventually forced them to carefully examine all functionality such that even after accessing the admin, you couldn't take over the server.