Disabling CFEXECUTE without CF Administrator

New Here ,
May 28, 2015 May 28, 2015

Copy link to clipboard

Copied

I haven't touched ColdFusion in probably close to 5 years and I'm totally lost on how to manage the application server.  I have a friend who's server is getting hacked quite viciously right now.  They have uploaded a shell using a ColdFusion administrator exploit.  They have nicely hidden the shell, so I'm unable to locate it.  Previously I would search for all instances of CFEXECUTE in *.cfm pages and I would find it quickly and remove it.  I would like to disable CFEXECUTE all together, but the hackers have mangled the ColdFusion Administrator to the point that when I go to the security tab, I am redirected out of the Administrator all together.

Is there a configuration setting in an XML file perhaps that I can adjust to disable CFEXECUTE or is the setting in the ColdFusion Administrator the only option?

Thank you for any assistance anyone can offer.

Views

1.5K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
May 28, 2015 May 28, 2015

Copy link to clipboard

Copied

What is the version of ColdFusion in discussion here?

Regards,

Anit Kumar

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
May 28, 2015 May 28, 2015

Copy link to clipboard

Copied

This is ColdFusion 9.  The gentleman running the server wasn't well versed in security, so he did not have the latest hotfixes applied.  Since he brought me in for assistance, we have managed to apply the latest CF 9 updates/hotfixes, so we're at the latest CF 9 possible at this point.

Thanks,

Mike

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
May 28, 2015 May 28, 2015

Copy link to clipboard

Copied

Mike,

You can try the following to by pass login to CF Admin:-

1. Navigate to neo-security.xml at \ColdFusion9\lib.

2. Take a backup of the same and open it with notepad or any text editor.

3. Search for <var name='admin.security.enabled'><boolean value='false'/>

4. Change the "false" to "true" and save the file.

5. Restart ColdFusion 9 Application service.

Now you can login to CF Admin, with any password.

To disable any Tag, please enable Sandbox Security. Relevant doc: Adobe ColdFusion 9 * Using sandbox security

Once you have made all the necessary changes, please enable the Admin Security from CF Admin itself.

Regards,

Anit Kumar

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
May 28, 2015 May 28, 2015

Copy link to clipboard

Copied

Thanks but I can login to the CF Admin just fine, that's not an issue.  However, the security tab for disabling CFEXECUTE is destroyed and therefore, I cannot disable CFEXECUTE.

Is there a similar XML setting that might allow me to disable CFEXECUTE without using the CF Administrator panel?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
May 28, 2015 May 28, 2015

Copy link to clipboard

Copied

Mike Chandler wrote:

the hackers have mangled the ColdFusion Administrator to the point that when I go to the security tab, I am redirected out of the Administrator all together.

So, if its redirecting you to the Administrator, is it logging you out from the CF Admin as well?

Regards,

Anit Kumar

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
May 28, 2015 May 28, 2015

Copy link to clipboard

Copied

It totally redirects me when I go to the Security page that is meant to disable CFEXECUTE.  It doesn't appear to expire my Administrator session.  In doing the hotfix, I believe the security admin scripts were all updated, but they're also encrypted so I can't see the source code to understand what is happening that causes the redirect, but it redirects me immediately upon accessing that page in the security tab and I can't get past that issue.

Is the Administrator the only way to disable CFEXECUTE?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
May 28, 2015 May 28, 2015

Copy link to clipboard

Copied

I'm thinking that when CFEXECUTE is disabled, something gets written to disk or a registry entry is written or something.  Knowing what that is so I can adjust it manually would be a huge help.  With the security tab on the CF Administrator being disabled or inoperable, I'm really hosed.  Thanks for any additional insight you can offer.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
May 28, 2015 May 28, 2015

Copy link to clipboard

Copied

neo-security.xml holds the info for Sandbox Security as well.


Regards,

Anit Kumar

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
May 28, 2015 May 28, 2015

Copy link to clipboard

Copied

That's good to know.  Is it just a matter of setting sbs.security.enabled to true in neo-security.xml?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
May 28, 2015 May 28, 2015

Copy link to clipboard

Copied

LATEST

No worries, it's a tough issue.  I really haven't found any answers online unfortunately.  Thanks for looking into this for me.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines