A ColdFusion Trick for Lost Datasource Password

Viewing By Entry

A ColdFusion Trick for Lost Datasource Password

Here's a quick trick if you don't have a datasource password when creating a new datasource but you do have another ColdFusion server with the same datasource.

Imagine you have two production servers running ColdFusion, each one with different datasources running different applications. What if you have a datasource on one server and you need to create that datasource on the second one but can't find (or don't have) the database password?

All recent ColdFusion versions use the same encryption algorithm for encrypting and decrypting passwords for datasources registered in the CF Administrator. This is why you can copy the ColdFusionX/lib/neo-datasources.xml from one ColdFusion 8 server to another ColdFuson 8 server, and the second server will have all the same datasources as the first. This is a quick way to mirror datasources across different ColdFusion servers.

But now, back to the problem where you have different datasources on each CF server, and you cannot copy over the whole datasource config file. If you don't have the database password, you can create a new datasource on the second server but without supplying a password. The datasource will then fail to verify. However, if you examine the datasource config file from the first server you can find the encrypted version of the password. A snippet from the ColdFusion8/lib/neo-datasource.xml file is shown below. Notice the encrypted version of the password in this xml sections:

<var name="timeout">
<number>1200.0</number>
</var>
<var name="password">
<string>RgmrmRQhiQM=</string>
</var>
<var name="update">
<boolean value="true"/>
</var>
<var name="drop">
<boolean value="true"/>
</var>
<var name="pooling">
<boolean value="true"/>
</var>
<var name="url">
<string>
jdbc:seefusion:{jdbc:mysql://localhost:3306/cfcontact?};driver=com.mysql.jdbc.Driver;dsn=cfcontact;
</string>
</var>

In this case the particular datasource has an encrypted version of the password shown as RgmrmRQhiQM=. You could find the datasource of interest in the config file, then find the encrypted version of the password, and copy it to the other neo-datasource.xml config file on the other server. Find the XML node for the failed datasource. It should have no value for the contents of the password field:

Then paste the encrypted version of the password in between:

<var name="password">
<string>RgmrmRQhiQM=</string>
</var>

For this to work, the ColdFusion server for where you are pasting the password should be stopped to avoid having ColdFusion overwrite your changes with a copy it already has in memory. Then start ColdFusion after pasting and the datasource will verify.

This can also work between ColdFusion versions. For example, ColdFusion MX 7 used neo-query.xml, and ColdFusion 8 restructured the file into neo-drivers.xml and neo-datasource.xml, but the encryption remained the same. You can copy the encrypted form of the password from a CF7 server and paste it into a CF8 or CF9 datasource config file.

This is a bit of a hack, but it does work.

posted on 1 March, 2010 at 9:15 PM.
ColdFusion | Comments (6)

Comments

Incidentally, the reason I know this works is because I used it during a company meeting on the first morning of the first day of my new job (last week). The definition of pressure is having a room full of new coworkers watch you as you try it out on a projection screen.

comment by Steven Erat, posted at 3/1/10 10:33 PM

Unfortunately, I don't think this is going to work after 9.01. One of the security enhancement planned is to give each CF instance it's own seed/key for encryption. Meaning the encrypted value found in neo-query.xml will be different for each instance.

-Adam

comment by Adam Lehman, posted at 3/1/10 10:40 PM

That's good news! I wasn't sure this was going to work in the first place since I thought the encryption might be salted. The first thing I thought of was that this would make a good enhancement request.

There's legions of 'legacy' ColdFusion servers out there, so this blog entry may be useful for years to come.

comment by Steven Erat, posted at 3/1/10 10:49 PM

On the bright side, I'm pretty confident you'll still be able to retrieve passwords using Wireshark to capture your unencrypted database connections.

comment by Dave Watts, posted at 3/2/10 1:00 AM

You can also just read the encrypted password out of the 'edit DSN' HTML instead of digging around in the XML file. Save you a step.

comment by Barney, posted at 3/3/10 11:54 AM

Well it seems that if I copy lib/seed.properties, lib/neo-drivers.xml, and lib/neo-datasource.xml from one CF 901 instance to another instance (even on another OS platform) that the datasources will still verify from that second machine. So the trick still works, just more files to copy.

comment by Steve, posted at 7/15/10 4:25 PM

Calendar

Search This Site

This is an exact search only

About This Site

Adobe Alumni & Community Professional. Expert in ColdFusion, Flex, LCDS, Photoshop, Lightroom. Linux RHCE. Follow Me!. For my photography check out Boston Portrait Photographer.