Posts Tagged ‘coldfusion updates security fixes’

CF 9.0.01 code changes

Written by jbriccetti on . Posted in Misc Ramblings

Many of you may know, but CF 9.0.1 update added a *very important* security update – especially for hosted environments. This “vulnerability” has been around since CF6 – it’s really a feature, but in the wrong hands, it’s about as bad as it gets (thus, “vulnerability” in quotes)
The issue is that with a little code like this:

createObject( "java", "coldfusion.server.ServiceFactory" ).getDataSourceService().getDatasources()

you can get a list of all the data sources on a server and more importantly, all the data source metadata stored in the ColdFusion server. Now many hosting companies disable access to internal ColdFusion Java components, but, if this restriction isn’t in place, the datasource information is so blatantly vulnerable to unauthorized access, well, let’s just say this is the reason why shared hosting is really never secure enough. A simple dump of the result of this serviceObject call would reveal the encrypted passwords; add a little Google search and a quick decrypt and you’re in; with <cfdbinfo />, you are inspecting the data sources dynamically and querying anything you like. Chances are, somewhere on every shared host server there is at least one (1) dingbat who decided to stash unencrypted credit card info or passwords. Chaos ensues….
Well if you are like me, or my co worker Mike Pacella, we’ve used this type of service call in our development environments for some of our code generation tools; So today, when i went to use [his][[our] dao / gateway generator ColdGen, I threw an ugly error. CF 9.0.1 won’t let me call that getDataSources