Wednesday 9 January 2013

Setting a CFAdmin password

I despair. I was going to sit down tonight and be all pseudo-intellectual and watch Au Revoir les Enfants (which I have somehow managed to not yet see) on DVD, and otherwise ignore my computer. And ignore ColdFusion.  But here I am.

I had a Twitter exchange with Russ Michaels and Brad Wood about this current slew of security holes in ColdFusion (there are not one but three, apparently), and I mentioned that I couldn't be arsed looking into it to see what the actual issue was. But just like playing The Game, once the topic came up, it intrigued me more and more, so I decided whilst dinner was cooking "ah, it won't take long to find it, I'll have a look". So off I went.

The first thing I had to do was to set a password in CFAdmin.  As my machine is a developer machine and only notionally connected to the internet, and not externally accessible - you know: like almost all developer machines - having a password of CFAdmin is egregious. So I don't currently have one. But these security holes are predicated on having one set, so I needed to set one before I started.

So I browse to the "Security Administrator" in CFAdmin, and I get this:

Now... if you've been paying more attention to me that CF clearly has been, you'll recall I said "I don't have a password set". And, indeed, CFAdmin has got that bit right. It seems to know I have no password set. However to set a password... I need to enter my old password. This is the password I don't actually have. Because, you know, I don't have a password set at the moment.

One might think it was just a lazy UI implementation and the form field wasn't removed, but I can obviously ignore it given there's no value to put in there. No. CFAdmin insists I provide this fictitious old password.

I'm guessing this would be the pwd the CF installer forced me to use when I first installed CF. ..On the CF instance I knew would never be public-facing, and would not need a password, but still I had to provide one for. But I don't bloody remember what I used, because I knew it would only be relevant for as long as it took me to type it in, wait for the install to run, and then go into CFAdmin and take it back out again.

I shoulda just used "123" I guess. Sod it.

Fortunately there is a password reset batch file located in the bin dir of the CF instance (so C:\apps\adobe\ColdFusion\10\cfusion\bin\passwordreset.bat for me), and this enables me to set a new password (which cannot be blank, but can be anything, so "123" it is).

Interestingly, I still don't actually need to use it to login to CFAdmin (!!!) but I can use it as the "old" password before setting the "new" password now. I suppose the fact I don't need to login still is because "setting the password" is different from the setting to say "and require the password". I dunno what I think about that.

Now I have my password set, and I can go about this investigation (note: I will not be reporting my findings on these investigations, as that would be irresponsible from a security perspective). Depending on what I find, you might hear me either laughing or weeping from wherever you currently are.

But back to the situation immediately to hand: I think it's a bug in CFAdmin though that when one disables the requirement for a password, then the existing password is not removed along with it. "No password" should mean "there is no password", not "there actually is, and you need to remember what it is". [searches the bugbase] Oh... and someone had already had the same experience, and raised a ticket for it (3187494). Adobe closed it as "user error".

My reaction to this (in my vote for the ticket) was:

This needs reopening. the way it's been implemented defies common sense. It might have been "user error" (as per the excuse for closing it), but it's user error borne of quite reasonable expectations of common sense not being implemented by CFAdmin.

(NB: this is not a theoretical gripe, I was just caught out by this too).
I also note - with interest - that this behaviour is new to CF10. The UI in CF9 looks like this:

So on CF9 one did not have to confirm the existing password before setting a new one. I actually think this is a big dodgy, so the addition of the "confirm your existing one" thing on CF10 is a good thing, but only if there actually is a password currently in place. So I think the UI has improved, but it's still bung.

And I'm not just saying this because it caught me out. Honest.

I'm now split as to whether it's the movie, or ferreting around in the AdminAPI to see how gaping this security hole is. I'll think I'll watch the movie whilst I still have the attention span to read along the bottom.