July 21, 2023
How to retrieve datasource passwords on ColdFusion 9
Comments
(2)
July 21, 2023
How to retrieve datasource passwords on ColdFusion 9
Good ol' ColdFusion developer that has 20 years of experience with the language 
Master 8 posts
Followers: 2 people
(2)

[Updated: 8/30/24, correcting typographic quotes in code that caused compilation errors. Also removed double-spacing, added new excerpt, and revised title]

I know that some sites still use old versions of ColdFusion, for example, ColdFusion 9. However, through my experience helping clients, it’s surprising to find that the actual number of sites running on ColdFusion is so massive.

Adobe hasn’t supported this version of ColdFusion since 12/31/2014 and those sites are usually hosted on the old versions of Windows. And Microsoft doesn’t support it too. It generates a lot of security problems- we can’t use the newer version of Java, etc. Adobe provides very clear migration instructions. And most cases we can migrate sites with small code updates or without any code change.

In many cases, we are not able to make a migration. We need to copy scripts to the new hosting, setup DataSources etc. And because we deal with very old sites often created by another developer we can have a situation when nobody has a database password. But, if we know the ColdFusion admin password and datasource name we can retrieve all information:

<h1>ColdFusion Datasources</h1>
<cfset version=createobject("java","coldfusion.server.ServiceFactory").LicenseService.getMajorVersion()>
<cfset form.version =variables.version >
<cfif NOT isdefined("form.adminpassword") or (isdefined("form.adminpassword") AND NOT len(form.adminpassword))  or (isdefined("form.dsn") AND NOT len(form.dsn))>
    <cfif (isdefined("form.adminpassword") AND NOT len(form.adminpassword)) or  (isdefined("form.dsn") AND NOT len(form.dsn))>
        <font color="#FF0000">The password and Datasource Name cannot be empty!</font>
    <cfelse>
        <br>
    </cfif>
    <form action="<cfoutput>#cgi.script_name#</cfoutput>" method="post">
        Enter the CF Admin Password: <input type="password" name="adminPassword"><br />
        Enter the Datasource Name: <input type="text" name="dsn"><input type="submit" value="Submit">
    </form><cfabort>
<cfelse>
    <cfset adminauth=createObject('component','CFIDE.adminapi.administrator').login('#form.adminpassword#')>
    <cfif NOT adminauth>
        <font color="#FF0000">The password was incorrect!</font><br>
        <form action="<cfoutput>#cgi.script_name#</cfoutput>" method="post">
            Enter the CF Admin Password: <input type="password" name="adminPassword"><input type="submit" value="Submit">
        </form><cfabort>
    </cfif>
</cfif>
<cfif isdefined("form.adminpassword") and isdefined("form.dsn")>
    <cfoutput>ColdFusion Verion: #listfirst(server.coldfusion.productversion)#<br><br></cfoutput>
    <cfif isDefined("variables.version") AND variables.version GT 9>
        This utility works only with ColdFusion 9 or earlier.
    <cfelse>
        <!— Create datasource object —>
        <cfset variables.datasourceObject=createobject("java","coldfusion.server.ServiceFactory").getDatasourceService().getDatasources()>
        <table border="1" cellpadding="5" cellspacing="0">
            <tr bgcolor="c0c0c0">
                <th>Datasource</th>
                <th>UserName</th>
                <th>Password</th>
                <th>Type</th>
                <th>Database</th>
                <th>Host</th>
            </tr>
            <cfset variables.datasource = form.dsn>
            <cfif len(variables.datasourceObject[variables.datasource]["password"])>
                <cfset variables.database =">
                <cfset variables.host=">
                <cfset variables.username = variables.datasourceObject[variables.datasource]["username"]>
                <cfset variables.driver = variables.datasourceObject[variables.datasource]["driver"]>
                <cftry>
                      <cfset variables.database = variables.datasourceObject[variables.datasource].urlmap.CONNECTIONPROPS.database>
                      <cfset variables.host = variables.datasourceObject[variables.datasource].urlmap.CONNECTIONPROPS.host>
                       <cfcatch type="any">
                      </cfcatch>
                </cftry>
                <cfset variables.decryptedPassword = Decrypt(variables.datasourceObject[variables.datasource]["password"],generate3DesKey("0yJ!@1$r8p0L@r1$6yJ!@1rj"),"DESede","Base64")>
                <!— Output datasource information —>
                <cfoutput>
                <tr>
                    <td>#variables.datasource#</td>
                    <td>#variables.username#</td>
                    <td>#variables.decryptedPassword#</td>
                    <td>#variables.driver#</td>
                    <td>#variables.database#</td>
                    <td>#variables.host#</td>
                </tr>
                </cfoutput>
            </cfif>
        </table>
    </cfif>
</cfif>

If you have questions or need help with this, don’t hesitate to reach out to me and I’ll be happy to assist.

Hopefully this has been helpful. All the best, ColdFusion Community!

2 Comments
2024-08-31 14:34:49
2024-08-31 14:34:49

Hey, Igor. Thanks for that. I happened to have a situation with a client just like you described above, and I found your code here. Sadly, the wysiwyg editor used here messed up the code changing ” and ‘ to their typograph versions –which of course caused compilation errors in CF (and that editor also double-spaced your code with an extra line between each).

But as I have editorial privileges here in the portal (though I rarely use them), I cleaned up the code and put it back in. Sadly, the editor’s “code” block feature doesn’t work well, so I could only use the “preformatted code” paragraph style–but at least it stands out a bit more clearly from the text. I also threw in a line of code to detect and warn if the CF version was above 9 (your code tested for the condition but didn’t have an else offering a warning).

There are other things that I or others might propose to tweak the code, but I didn’t want to presume to do that. More than anything I just wanted to get it to work, as-is. Granted, there should be fewer and fewer people still on 9 or earlier. But here I was helping someone in 2024 just like you were in 2023 when you wrote this. At least in both cases it was in helping people get OFF such old versions. 🙂

(I also added an “update” indication at the top, for those who may not read this comment, and I also added an “excerpt” for the post, which shows up when this post is viewed in lists of other posts here on the portal. Sadly, the blog software is currently configured to show that excerpt at the top here as well. That was NOT me adding that as a new starting paragraph. The “update” is.)

I may work up some enhanced code to also work with CF10 and above, and to provide a list of datasources to pick from. But I’d do that in another post. These comments are an even worse place to post large code blocks! Again, though, thanks for the effort above.

Like
()
2023-07-28 07:19:23
2023-07-28 07:19:23

Hi Igor,

from a migration and security perspective it is always better to have a new user created with a new password

😉

Like
()
Add Comment