• Home
  • More…
  • Archives
  • About…

NUKLEOS weblog

Virtual Memory (Resurrected)

Feeds:
Posts
Comments
« How Are You Getting Your Apps Up And Running?
The Virus Plays A Sad Song »

A Security Issue In ColdFusion, And How To Handle It

16/07/2020 by Wouter

Charlie Arehart is a well-known ColdFusion specialist. Two days ago, he wrote a blog post explaining why one should be careful about securing ColdFusion Archive (CAR) files. The Adobe ColdFusion team isn’t very explicit about the issue, telling us in small print that we should delete those files after using them – but does not explain why we should do so. So Charlie explains it in great detail – if you work with Adobe ColdFusion, you should check out his blog.

Now Charlie only mentions versions 2016 and 2018 of ColdFusion, and I know that there are still developers around that work with older versions – actually, I’m one of those: ColdFusion 11 is what I support (and occasionally develop for) since 2015. I have been using  .car files for installing CF servers, and I had already been looking at what they contained. But I had never seen the ‘seed’ and ‘algorithm’ strings Charlie writes about, but I could have overlooked them. So I went in again today, to verify things.

I can confirm that .car files created in CF11 do NOT contain those strings. But before you start celebrating, I must warn you that this probably means that the situation is even worse than for more recent versions. Because CF11 will write (encrypted) passwords into a .car file, and yes: those files can be used to reconfigure another server, passwords included ! Which probably means that all CF11 runtimes use the same seed and algorithm, rendering  CF11.car files containing passwords even more insecure than later versions…

I did not know about all this until yesterday, but I seem to have circumvented the problem: I wrote an application to install datasource definitions on the servers rather than use CAR files. That offers multiple advantages: the code  (and hence the definitions) is under version control, and can only be accessed by authorized users; we have different definitions for different environments; etc. And the.car files I do use have no passwords in them – whew!

But it’s clear that it pays take this issue into account as a ColdFusion developer or administrator, whatever solution you choose (and Charlie has a few propositions).

Share this:

  • Twitter
  • LinkedIn
  • Email

Like this:

Like Loading...

Related

Posted in ColdFusion, Software Development |

  • My Activity

    July 2020
    M T W T F S S
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
    « Jun   Aug »
  • My Favourites

    • Ars Technica
    • bvlg.blogspot.com
    • cfNote
    • Digital Photography Review
    • George Monbiot
    • Heise News Ticker
    • Jamie Todd Rubin
    • Jon Udell
    • Planet Python
    • Scripting.com
    • Seth Gottliebs Blog
    • The Electronic Intifada
  • My Sites

    • Innologos
    • My photos (Flickr)
    • N U K L E O S
  • On Probation

    • Artima Weblogs
    • Ruby Inside
    • The Cult Of Mac
    • The Unofficial Apple Weblog
  • My Categories

    Android Apple & Macintosh ColdFusion Content Management Design and Art Internet Java Linkrot! Linux Literature Mobile Computing Motorcycles Music Patents, IP, Privacy and More PDA Personal Photography Privacy and Security Python R1100S Ruby Science Social Media Society Software Software Development Technology Ubuntu Web Development Wiki
  • My Photos on Flickr

    More Photos

Create a free website or blog at WordPress.com.

WPThemes.


Cancel

You must be logged in to post a comment.

Loading Comments...
Comment
    ×
    loading Cancel
    Post was not sent - check your email addresses!
    Email check failed, please try again
    Sorry, your blog cannot share posts by email.
    Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
    To find out more, including how to control cookies, see here: Cookie Policy
    <span>%d</span> bloggers like this: