Web Software Architecture and Engineering – Life on the Bleeding Edge

Well, this didn’t take long!

I installed CF10 locally, and forgot the password over the weekend. So I did what every other developer does: play with ‘neo-security.xml’ and set ‘admin.security.enabled’ to false. Once I restarted the ColdFusion service, I was able to get into my CF Admin just fine.

But, here is where it gets interesting. Under Security->Administrator, the “No authentication needed (not recommended)” option was selected. Naturally, I changed that to “Use a single password only (default)”. Below that under “Root Administrator Password”, I entered the new passwords and hit ‘Submit Changes’ and CF Admin rejected me saying: “Password could not be changed as the old password is incorrect.”

Below where I set the new password is an input box for “Old Password”. Well – I don’t know the old password! So this means, the old password field is required, regardless of whether you forgot it or not.

So I’m stuck. To close the big security hole of people being able to log into my CF Admin, I set the option to “Use a single password only (default)” without setting a new password, and suddenly my CF Admin requires a password. Hackers can’t get in, but neither can I.

Basically, I’m stuck until Adobe fixes this. After some searching I found a bug logged in May for this. PLEASE VOTE: https://bugbase.adobe.com/index.cfm?event=bug&id=3187494.

All I can do now is set the xml to false, restart CF, make my changes, and set the option to require a password. Not fun.

Does anyone have a workaround? Make sure to vote!


Comments on: "ColdFusion 10 – Known Security Bug" (6)

  1. Hey..you could try the passwordreset.bat/sh script in cfusion/lib..

  2. Correction : Hey..you could try the passwordreset.bat/sh script in cfusion/bin

    • That worked. I ran passwordreset.bat, then changed the setting to use “Use a single password only (default)”, and changed the password. Thanks Viny!

  3. As Viny mentioned you should not change flags in xmls file. Use the passwordreset utility and you should be good to go. The requirement for old password to change your password is for securing the administrator console.

  4. Good stuff! Thanks all!

  5. Chris Colley said:

    this still doesn’t take…says successful then it kicks back to not accepting the password

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: