Pull a List of All Coldfusion Datasources, Along With Username and Passwords

Posted by Paul Alkema | Tags: ColdFusion

There are special times when you may need to get a list of your datasources or retrieve the passwords for your datasources. If this is your case, no problem.

The script below will pull all datasources, along with the username and a decrypted password.


    // Create Data Source Object
    dataSourceObb=createobject("java","coldfusion.server.ServiceFactory").
	getDatasourceService().getDatasources();
    
    // Loop Through DataSources
    for(i in dataSourceObb) {
     if(len(dataSourceObb[i]["password"])){
	 
     // Get username
     username=(dataSourceObb[i]["username"]);
	 
     // Get and decrypt password
     decryptPassword=Decrypt(dataSourceObb[i]["password"],
     generate3DesKey("0yJ!@1$r8p0L@r1$6yJ!@1rj"), "DESede",
     "Base64");
	 
     // Output all datasources along with username and passwords
     writeoutput("" & "DataSource: "  & i & "
" & 
     "Username: " & username & "
Password: " & 
     decryptPassword &"

");
     }
    }

Enjoy!

UPDATE: When this post was originally posted, this worked on 9, however since then 9.0.1 has been released. This version has fixed this issue.

Tags: Coldfusion, Datasource Passwords, ColdFusion Passwords, ColdFusion ServiceFactory, Paul Alkema

April 20, 2010

8 responses so far ↓

Brian Swartzfager - Jul 12, 2010 at 10:25 AM

That's a useful script when used by an authorized administrator, but kind of a security problem when used by someone who simply has the means to write and then upload CF code. Don't suppose you know of a technique for blocking it?

Jason Dean - Jul 12, 2010 at 1:00 PM

I thought I had heard this was corrected in CF9. I see now that it was not. Honestly, that really irritates me. This has been a vulnerability for WAY too long. Anyway, you can block access to this by checking "Disable access to internal ColdFusion Java components " in the ColdFusion administrator's SETTINGS section.

Marc Ackermann - Jul 13, 2010 at 4:38 AM

This is a very serious cf security problem. Thanks for the info.

Jason Dean - Jul 13, 2010 at 11:04 AM

Oh, well, that's interesting. I guess I did hear that it was fixed. But is was actually for 9.01. Just released today you can now have a configurable seed for password encryption. I have not tried it yet, so I am unsure if this applies to Admin user passwords or DSN passwords or both. But hopefully it is both.

Marc Ackermann - Jul 14, 2010 at 5:28 AM

I just checked it: yes, the problem is fixed in cf 9.0.1 !!!

Paul Alkema - Jul 15, 2010 at 7:44 AM

Awesome, it's been confirmed that this was fixed in 9.0.1 This article was written before this had been released. I added a note about this at the bottom of this post.

Andy - Jul 16, 2010 at 3:53 AM

We just installed 9.0.1 and dataSourceObb=createobject("java","coldfusion.server.ServiceFactory").getDatasourceService().getDatasources(); is not working anymore. At Least I cannot call getDatasources(); to receive the list of datasources. Disable access is not enabled on our server.

Jason Presley - Apr 6, 2011 at 11:48 AM

I confirm what Andy stated. Dumping the results of the getDataSourceService() shows that there is a getDatasources() method but when that method is called CF throws an error. Anyone know the cause or a work around?

Leave a Comment

Leave this field empty: