ColdFusion 10.0  -  Bug 3187494

Created on Thursday, May 10, 2012

Login for more options

Title

CF 10, Administrator Password Setting Issue.

Description

Problem:

Installed CF 10, but post install, at the configuration screen, forgot my password. So, we navigated to the “neo-security.xml” and changed the “admin.security.enabled” attribute from true to false re-started the server.

Post this, we were successfully navigated inside the CF administrator. Now, we wish to set an admin password and thus go to: Security Administrator select Use Single password only option

Once we enter the “New” and “Confirm” password and Submit changes, it is giving us an error message to “Enter the Old Password, as the same cannot be left blank”.

Logically, it shouldn’t: the user doesn’t remember the password which he/she has used during install, therefore changes have been made in the neo file to by-pass the login screen and then set the admin password via the Security option available inside. {which we are not able to do/achieve}


**** Please note that, once this process is done the “admin.security.enabled” attribute also changes to True {even if the password is not set}
Comparing to CF9: This was not the behavior in CF9 and we were able to set a new admin password.
Method: na

Result:

Once we enter the “New” and “Confirm” password and Submit changes, it is giving us an error message to “Enter the Old Password, as the same cannot be left blank”.

Expected:

Moving from “no authentication needed” to any other password option should not prompt for old password information.

Workaround: na

Test Configuration

App Language(s) ALL
OS Language(s) English
Platform(s) Win XP All
Browser(s)

Notes (7)

  • Stijn Dreezen (Marburg)

    3:34:23 AM GMT+00:00 Sep 3, 2012

    The bug is solved in 10.0.1 !

    I think I found the reason. Exuting passwordreset.bat resulted in an error trying to access password.properties (access denied). It did not give this error in the previous version of Coldfusion 10.

    it makes sence that the passwordreset.bat is executed with administrative privileges to have write access to the password.properties file. If the error would have been rised properly in the previous version, we would have been able to fix it right away.


    Regards,

    Stijn

  • Stijn Dreezen (Marburg)

    3:17:53 AM GMT+00:00 Sep 3, 2012

    It is exactly that utility (passwordreset.bat) that we used to try to reset it, to no avail.
    The only way to get into the administrator afterwards was setting admin.security.enabled to false in the neo-security.xml . We never set a password directly in the neo-security.xml, neither did we report that we did this.

    I will download and evaluate the new 10.0.1 update and see if the bug still exists. If it does, we will unfortunately not go live with version 10.
    It needs to be solved.

  • Rupesh Kumar

    12:51:08 PM GMT+00:00 Aug 27, 2012

    You are not supposed to make changes in the neo-security.xml directly :-). Since the password is secure hashed and stored here, making changes directly to this will surely mess things up. In case you have forgotten the password, CF 10 ships an utility 'passwordreset.bat/passwordreset.sh' in the 'bin' directly to reset the passwords. Check that out and let us know if that does not work

  • samihoda2

    10:27:24 AM GMT+00:00 Aug 27, 2012

    Big issue!

  • samihoda2

    9:50:59 AM GMT+00:00 Aug 27, 2012

    Big issue!

  • Stijn Dreezen (Marburg)

    12:55:53 AM GMT+00:00 Jun 6, 2012

    Correction, the behaviour is a little bit different on 2008 R2

    i believe the bug is in the login.cfm.
    After the installation, before the configuration screen our login failed as well, though we were 100% sure about the password.

    Once set to false in neo-security.xml, we could bypass the login. In the administrator we could change the admin password, he would accept our old password (which didn't work for login) and we could set a new one.

    Though after logout, we could not login with the new one either, so again to neo-security.xml to be able to login. Again, we could change the new password with another one in the administrator.

    My guess is there is something wrong with the seed/hash calculation in the admin login.cfm on win 2008 R2

  • Stijn Dreezen (Marburg)

    12:51:05 AM GMT+00:00 Jun 6, 2012

    Same bug encountered on Win 2008 R2

Duplicate ID
Reported By Simarpreet Singh Bhatia

Status

State Closed
Status Withdrawn
Reason UserError

Importance

Priority 3-High
Frequency All users will encounter
Failure Type Incorrectly Functioning
Product Area Administrator

Build

Found In Build 10,282462
Fixed In Build

Attachments (0)

No Files Attached

Votes (2)

  • Adam Cameron.

    11:33:44 AM GMT+00:00 Jan 9, 2013

    This needs reopening. the way it's been implemented defies common sense. It might have been "user error" (as per the excuse for closing it), but it's user error borne of quite reasonable expectations of common sense not being implemented by CFAdmin.

    (NB: this is not a theoretical gripe, I was just caught out by this too).

    --
    Adam

  • samihoda2

    9:50:19 AM GMT+00:00 Aug 27, 2012

    This is a major bug. I can confirm this. It is also a security hole.

Your session has expired! Click to login
Current form data will be preserved

Cancel