Railo-web.xml.cfm passwords

[hockeypfef]

Is there a way to encrypt the passwords for datasources in railo-
web.xml.cfm? They are in plain text so if the web server is hacked,
they have access to the database too.

Chris

[Eric Cobb]

I don't know the answer to your question, but I thought I would point
something out. If your web server gets hacked they ALREADY have access
to your databases, via code. They can upload a .cfm page and run
whatever they want against the database. The only restrictions they
have are the ones set up in your datasource connection, which means that
if you have anything other than "select" permissions allowed, you're toast.

Just thought I would point that out....

Thanks,

Eric Cobb
http://www.cfgears.com

[Chris Pfeffer]

Yeah, I agree with that totally, but having the username and password
in plain text just scares me. I know there are ways to decrypt and
what not, but it would be one more step they would have to take. Just
a suggestion.

Chris

[Sean Corfield]

On Thu, Jul 23, 2009 at 8:49 AM, Chris Pfeffer<hocke...@gmail.com> wrote:
> Yeah, I agree with that totally, but having the username and password
> in plain text just scares me.  I know there are ways to decrypt and
> what not, but it would be one more step they would have to take.  Just
> a suggestion.

<tangent>
Well, this is one of the things that amuses me slightly about shared
hosting companies. Some of them tell you not to put your DB password
in the Admin but to put it in all your <cfquery> tags instead for
"security". Then folks go ahead and put it in some application-wide
config (either directly in application scope or in a config file that
is read into application scope, via a framework etc). And of course
you can read everyone's application scope on a shared server (because
all application scopes are rooted in a single unnamed Java web
application context) so it's no security at all.
</tangent>

As others have said, if they have access to your server, they have
access to your DB already - regardless of whether the passwords are in
the admin or in your own code.

For shared hosting, Railo is more secure than Adobe ColdFusion in this
area because each site has its own separate admin and file system
access can be locked down per site so the DB passwords are more secure
in the admin - even unencrypted - than they would be in code.

That said, Chris, feel free to open a JIRA ticket if you'd rather see
DB passwords encrypted in the XML file.
--
Sean A Corfield -- (904) 302-SEAN
Railo Technologies US -- http://getrailo.com/
An Architect's View -- http://corfield.org/

"If you're not annoying somebody, you're not really alive."
-- Margaret Atwood

[Chris Pfeffer]

I agree. I like the way Railo does it compared to Adobe.

Does anyone else feel the same way about the password in plain text?
If it's just me then I won't bother opening a ticket.

Chris

[Todd Rafferty]

I have mixed feelings about it. There's was a certain Vendor .properties file that had a plain text password once upon a time and people were in an uproar over it.  I do believe that Railo's local context offers more security, but I do understand that people want the warm fuzziness of security.

~Todd Rafferty
Railo Community Manager -- Volunteer
http://getRailo.org/

[Andrew Penhorwood]

Chris,

I will vote +1 on this, even though it is only perceived security.  But it would avoid some manager somewhere from causing a major problem and getting Railo banned because it has clear text passwords. :-/

Andrew Penhorwood

> Chris

>> >


>



-- 
Best regards,
Andrew Penhorwood
and...@coldbits.com
www.coldbits.com
419-884-6042

[Todd Rafferty]

Very good point. Software audits need to be taken into account.

~Todd Rafferty
Railo Community Manager -- Volunteer
http://getRailo.org/

[Dave]

I would like for the password field when entering the the db passwords
to at least be a password field so that it doesn't show password when
entering.
Not a big deal but seems odd every time i enter one.

[Chris Pfeffer]

I agree. When creating a new datasource, it is in plain text, but
when you edit the datasource, it has the password field. I always
found that odd.

Here it is: https://jira.jboss.org/jira/browse/RAILO-327

Chris

[Michael Offner-Streit]

just my 4greetings michac to this

location,location,location (first 2c)
by default your web config is located at WEB-INF/railo/railo-web.xml.cfm
and the server config is at <install>/lib/railo-server/railo-server.xml
having the config inside the webroot is not the most secure position for this.

you can change this locations in the servlet specification, replace the existing servlet spefification with something like this.
(located in resin:conf/app-default.xml; jetty:etc/webdefault.xml; tomcat:conf/app-default.xml)
<servlet servlet-name="CFMLServlet"
        servlet-class="railo.loader.servlet.CFMLServlet">
        <init-param>
            <param-name>railo-web-directory</param-name>
            <param-value>/var/railo/config/web/{web-context-hash}</param-value>
            <description>Railo Web Directory directory</description>
        </init-param>
        <init-param>
          <param-name>railo-server-directory</param-name>
          <param-value>/var/railo/config/server/</param-value>
          <description>directory where railo root directory is stored</description>
        </init-param>   
        <load-on-startup>1</load-on-startup>
    </servlet>

the "{web-context-hash}" is needed because otherwise when you only have a static path, all web contextes would point to the same location.
(a more readable "{web-context-label}" is planned for the futher)

secure all (second 2c)
secure the entire xml instead of only the passwords.
we add a flag to the railo server admin "secure", if you set this flag railo will encrypt all config xml files, not only some values, the entire file.



what do you think?
/micha

hockeypfef schrieb:

-- 
Michael Offner-Streit
CTO
Railo Technologies GmbH
michael...@railo.ch
www.getrailo.com

Mailing List (english): http://groups.yahoo.com/group/railo_talk/
Mailing List  (german): http://de.groups.yahoo.com/group/railo/
Linked in: http://www.linkedin.com/e/gis/71368/0CF7D323BBC1
Issue Tracker: http://jira.jboss.org/jira/browse/RAILO
Blog: http://www.railo-technologies.com/blog

[Michael Offner-Streit]

done!

next version (3.1.0.024) will encrypt the password attribute
https://jira.jboss.org/jira/browse/RAILO-327

after you store again your datasource in the admin the password
attribute would look like this in the railo-web.xml.cfm
password="encrypted:4ac81d347e1d676ece17df63b29f2b0e2eebhgi68d434beb"

you can still add password in plain text by removing the "encrypted:".
we have also changed type of html input field to "password".

gretings micha

[Judah McAuley]

I think we'd also need a way of programatically creating those
encrypted passwords. Will there be a publicly available function to
call encrypt to generate the string that Railo will then be able to
decode when making the db connection?

Judah