So far in our attempts to get access to the templates and data of other hosted customers we have primarily focused on accessing the templates of other users in order to get access to their data through them. A more direct approach is to try to access the database directly.

Registered datasources

To access a registered datasource all you need is its name. More often then not, names are easy to guess. Depending on how the datasource is registered in the CF Administrator you may need a username and password as well. If the username and password to the datasource are registered in the ColdFusion Administrator ColdFusion will write them to neo-datasource.xml. They are encrypted there, but with a reversible algorithm (ColdFusion needs to be able to decrypt them in order to authenticate). The way to decrypt these passwords is well known. So if you have read access to neo-datasource.xml through an incorrect Sandbox configuration you have all usernames and passwords registered there.
If the username and password of the datasource are not registered in the ColdFusion Administrator chances are they are stored in the application scope somewhere and we have already seen that the application scope is insecure.

The first line of defense against this is to configure Sandbox Security to only allow access to specific datasources to each Sandbox. This will effectively lock down access from ColdFusion to the datasource, even if you know the full connection string.

Database to database connections

But as good as the protection for datasources is in ColdFusion, it only protects against connections from ColdFusion’s cfquery and cfstoredproc. Just as the trick to work around a disabled cfexecute is to create Java / COM / .NET objects, the trick to work around a disabled ColdFusion datasource connection is to start the connection from somewhere else. And the way to do that is to connect from one database to another. The protocol to do so, SQL/MED, is not widely implemented in databases, but most databases offer proprietary ways to do so. For instance, in MS SQL Server you would use:

SELECT *
FROM OpenDataSource(
  ’SQLOLEDB‘
  ,Data Source=server.asdf.com;User ID=yourusername;Password=yourpassword‘
  ).somedatabase.dbo.sometable;

In PostgreSQL that would be:

SELECT *
FROM dblink(
  'dbname=postgres'
  , 'SELECT ID, value FROM tables'
  ) AS t1(
  ID INT
  , value TEXT
  );

The one thing that makes this more difficult is that you usually need some sort of superuser privilege on the database server to be allowed to do this.

MS Access

MS Access is a file based database that is pretty popular in shared hosting. While people frequently question performance, scalability and security, it is still an attractive offering because it allows users to download the database, edit it offline and then upload an entirely new database with new data.

MS Access offers a very simple feature to access tables in other MS Access databases without the superuser privileges you would need on a more full-featured database server. You just specify the path to the data file you want to access directly in the query:

SELECT *
FROM table IN 'h:\sites\database.mdb'

4 Comments

  1. Freelance Web Developer says:

    What about something like this to get all of the datasources?

    /**
    * Gets a list of DSNs.
    *
    * @return Returns an array.
    * @author Raymond Camden (ray@camdenfamily.com)
    * @version 1, November 15, 2002
    */
    function getDSNs() {
    var factory = createObject(”java”,”coldfusion.server.ServiceFactory”);
    return factory.getDataSourceService().getNames();
    }

    From there you can make a cfquery and go to town.

  2. Jochem says:

    As I explained in an earlier post giving people the option to instantiate Java objects amounts to giving them the password to the ColdFusion Administrator. Who cares that you can enumerate the list of datasources using Java, when you can simple overwrite the password.properties file and force ColdFusion to read the new version by restarting JRun through CreateObject(”java”, “java.lang.runtime”).getRunTime().halt()?

  3. “it could be bunnies” » Blog Archive » Shared hosting security wishlist says:

    [...] « ColdFusion shared hosting security and databases [...]

  4. Leigh says:

    Re: “The way to decrypt these passwords is well known” .. and apparently still works in ColdFusion 9.