I haven't touched ColdFusion in probably close to 5 years and I'm totally lost on how to manage the application server. I have a friend who's server is getting hacked quite viciously right now. They have uploaded a shell using a ColdFusion administrator exploit. They have nicely hidden the shell, so I'm unable to locate it. Previously I would search for all instances of CFEXECUTE in *.cfm pages and I would find it quickly and remove it. I would like to disable CFEXECUTE all together, but the hackers have mangled the ColdFusion Administrator to the point that when I go to the security tab, I am redirected out of the Administrator all together.
Is there a configuration setting in an XML file perhaps that I can adjust to disable CFEXECUTE or is the setting in the ColdFusion Administrator the only option?
Thank you for any assistance anyone can offer.
What is the version of ColdFusion in discussion here?
This is ColdFusion 9. The gentleman running the server wasn't well versed in security, so he did not have the latest hotfixes applied. Since he brought me in for assistance, we have managed to apply the latest CF 9 updates/hotfixes, so we're at the latest CF 9 possible at this point.
You can try the following to by pass login to CF Admin:-
1. Navigate to neo-security.xml at \ColdFusion9\lib.
2. Take a backup of the same and open it with notepad or any text editor.
3. Search for <var name='admin.security.enabled'><boolean value='false'/>
4. Change the "false" to "true" and save the file.
5. Restart ColdFusion 9 Application service.
Now you can login to CF Admin, with any password.
To disable any Tag, please enable Sandbox Security. Relevant doc: Adobe ColdFusion 9 * Using sandbox security
Once you have made all the necessary changes, please enable the Admin Security from CF Admin itself.
Thanks but I can login to the CF Admin just fine, that's not an issue. However, the security tab for disabling CFEXECUTE is destroyed and therefore, I cannot disable CFEXECUTE.
Is there a similar XML setting that might allow me to disable CFEXECUTE without using the CF Administrator panel?
Mike Chandler wrote:
the hackers have mangled the ColdFusion Administrator to the point that when I go to the security tab, I am redirected out of the Administrator all together.
So, if its redirecting you to the Administrator, is it logging you out from the CF Admin as well?
It totally redirects me when I go to the Security page that is meant to disable CFEXECUTE. It doesn't appear to expire my Administrator session. In doing the hotfix, I believe the security admin scripts were all updated, but they're also encrypted so I can't see the source code to understand what is happening that causes the redirect, but it redirects me immediately upon accessing that page in the security tab and I can't get past that issue.
Is the Administrator the only way to disable CFEXECUTE?
I'm thinking that when CFEXECUTE is disabled, something gets written to disk or a registry entry is written or something. Knowing what that is so I can adjust it manually would be a huge help. With the security tab on the CF Administrator being disabled or inoperable, I'm really hosed. Thanks for any additional insight you can offer.
neo-security.xml holds the info for Sandbox Security as well.
That's good to know. Is it just a matter of setting sbs.security.enabled to true in neo-security.xml?
No worries, it's a tough issue. I really haven't found any answers online unfortunately. Thanks for looking into this for me.