Ask a Jedi: How secure are the username/password values of a ColdFusion Scheduled Task?

Kay asks:

How secure are the usernames and passwords of scheduled tasks in the ColdFusion admin console?

I think the answer is - it depends. I did a quick test and added a username of ‘user’ and password of ‘pass’ to a scheduled task. I then clicked to edit it again and the password was in the form. It was a password field, but view source showed it. If someone got access to your ColdFusion admin, they could see the password.

You can also dig into your ColdFusion lib folder and find neo-cron.xml. This is an XML file that defines all the scheduled tasks. The username was there, in plain text:

<var name='username'><string>user</string></var>

But the password was encrypted:

<var name='password'><string>(P(BMZG]$VZ\ <char code='0a'/></string></var>

Of course, if someone gets access to your lib XML files, they can just disable the ColdFusion administrator password and view the entry via the form.

All in all I’d say - pretty secure unless someone gets access to the machine itself. Locked down completely 100% super-duper government agent safe? Probably not. Reasonably secure though.

Raymond Camden's Picture

About Raymond Camden

Raymond is a developer advocate. He focuses on JavaScript, serverless and enterprise cat demos. If you like this article, please consider visiting my Amazon Wishlist or donating via PayPal to show your support. You can even buy me a coffee!

Lafayette, LA https://www.raymondcamden.com

Comments