If you are not using the cfreport you can change the servlet mapping for *.cfr to point to the
CFForbiddenServlet, this servlet will return 403 forbidden response if a cfr file is requested:
<servlet-mapping id="coldfusion_mapping_12">
<servlet-name>CFCServlet</servlet-name>
<url-pattern>*.cfr</url-pattern>
</servlet-mapping>
Change to:
<servlet-mapping id="coldfusion_mapping_12">
<servlet-name>CFForbiddenServlet</servlet-name>
<url-pattern>*.cfr</url-pattern>
</servlet-mapping>
Be sure to remove the .cfr mapping on the web server.
6.8 Remove WSRP Servlet Mapping
The WSRP Servlets and Filters are used to support Web Services for Remote Portlets, a SOAP based API for
serving portlets. If this feature is not used the web services
Remove the WSRPFilter Servlet Mapping:
<servlet-mapping>
<servlet-name>WSRPProducer</servlet-name>
<url-pattern>/WSRPProducer/*</url-pattern>
</servlet-mapping>
6.9 Disabling the CFFileServlet Mapping
The CFFileServlet is used to serve dynamically generated assets. It is used to support the following tags
cfreport, cfpresentation, and cfimage (with action=captcha and action=writeToBrowser). If you are not using
these features you may remove the servlet mapping:
79