Web Software Architecture and Engineering – Life on the Bleeding Edge

Archive for August, 2012

ColdFusion 10 – Known Security Bug

Well, this didn’t take long!

I installed CF10 locally, and forgot the password over the weekend. So I did what every other developer does: play with ‘neo-security.xml’ and set ‘admin.security.enabled’ to false. Once I restarted the ColdFusion service, I was able to get into my CF Admin just fine.

But, here is where it gets interesting. Under Security->Administrator, the “No authentication needed (not recommended)” option was selected. Naturally, I changed that to “Use a single password only (default)”. Below that under “Root Administrator Password”, I entered the new passwords and hit ‘Submit Changes’ and CF Admin rejected me saying: “Password could not be changed as the old password is incorrect.”

Below where I set the new password is an input box for “Old Password”. Well – I don’t know the old password! So this means, the old password field is required, regardless of whether you forgot it or not.

So I’m stuck. To close the big security hole of people being able to log into my CF Admin, I set the option to “Use a single password only (default)” without setting a new password, and suddenly my CF Admin requires a password. Hackers can’t get in, but neither can I.

Basically, I’m stuck until Adobe fixes this. After some searching I found a bug logged in May for this. PLEASE VOTE: https://bugbase.adobe.com/index.cfm?event=bug&id=3187494.

All I can do now is set the xml to false, restart CF, make my changes, and set the option to require a password. Not fun.

Does anyone have a workaround? Make sure to vote!


ColdFusion 10 – Windows IIS & WSConfig Woes

Usually, when I add a new website under IIS, I create a new instance in CF9, and use WSConfig to map the instance to the website. Its a straight-forward process.

CF9 wsconfig

CF9 wsconfig

With CF10, I can’t seem to find any documentation on how to do that. Running WSConfig no longer has an option with a drop-down of instances, so I was left scratching my head.

CF10 wsconfig

CF10 wsconfig

Adobe’s notes @ http://help.adobe.com/en_US/ColdFusion/10.0/Installing/WSc3ff6d0ea77859461172e0811cdec18a15-7ffb.html have no mention of instances.

After much digging, I figured out that you cannot use the Web Server Configuration Tool in the Windows menu, rather you have to go to \*cf dir*\*instance dir*\runtime\bin, and run wsconfig.exe and select the right website from the drop down.

Essentially, every time you create a new instance, you have a new wsconfig.exe that you will use to connect that instance to a website. The one in the Windows menu is only for the cfusion instance, which makes it useless if you are used to a more advanced setup, nor is this documented very well.

Why in the world, when you had the flexibility before, was that taken away and not documented well? Adobe!!!