Ask a Jedi: How secure are the username/password values of a ColdFusion Scheduled Task?

This post is more than 2 years old.

Kay asks:

How secure are the usernames and passwords of scheduled tasks in the ColdFusion admin console?

I think the answer is - it depends. I did a quick test and added a username of 'user' and password of 'pass' to a scheduled task. I then clicked to edit it again and the password was in the form. It was a password field, but view source showed it. If someone got access to your ColdFusion admin, they could see the password.

You can also dig into your ColdFusion lib folder and find neo-cron.xml. This is an XML file that defines all the scheduled tasks. The username was there, in plain text:

<var name='username'><string>user</string></var>

But the password was encrypted:

<var name='password'><string>(P(BMZG]$VZ\ <char code='0a'/></string></var>

Of course, if someone gets access to your lib XML files, they can just disable the ColdFusion administrator password and view the entry via the form.

All in all I'd say - pretty secure unless someone gets access to the machine itself. Locked down completely 100% super-duper government agent safe? Probably not. Reasonably secure though.

Raymond Camden's Picture

About Raymond Camden

Raymond is a senior developer evangelist for Adobe. He focuses on document services, JavaScript, and enterprise cat demos. If you like this article, please consider visiting my Amazon Wishlist or donating via PayPal to show your support. You can even buy me a coffee!

Lafayette, LA

Archived Comments

Comment 1 by Brad Wood posted on 3/25/2009 at 6:42 AM

That's kind of interesting that they bothered to encrypt the password in the XML file, but decrypted it to put in the source of the form. I assume it's passed back in clear text on form submit too.

In general though, I would say your server is only as safe as your ColdFusion8\lib directory-- and hopefully you keep that pretty safe :)

Comment 2 by Joshua Curtiss posted on 3/25/2009 at 8:53 AM

CF Administrator can work over SSL, so the bit about submitting the password cleartext is partly at the discretion of the person setting up the server. :-)

Comment 3 by Sid Wing posted on 3/25/2009 at 5:01 PM

@Joshua - have they fixed the issue with the Java Applet that "browses" the server for things like Access databases? That app used to be completely broken if you implemented the Admin under HTTPS

Comment 4 by Joshua Curtiss posted on 3/25/2009 at 6:47 PM

I don't think so. Honestly, I don't even try anymore, I just manually paste or type in the path. :-) A minor annoyance, but not something you can't live with.

Comment 5 by DanaK posted on 3/26/2009 at 6:46 PM

I can confirm the browsing applet is still borked.

Between moving the administrator out of the webroot, setting up its own iis site and using SSL.... there are plenty of options available to lock things down nice.

We have our administrator setup to only respond to the local loopback only currently. If they get around all that, you have bigger problems anyhow?

Comment 6 by BC posted on 3/27/2009 at 11:49 PM

A passwordless solution for a windows server with pubilc internet IP address and NAT translation to private IP address for the IIS web sites site could be as follows:

In IIS - Deny access to the scheduled task page(s) to all except the internal IP address. Then in CF Admin, call your task page via the internal IP rather than domain name (http://192.168.1.x/myScheduledTask.cfm)