ColdFusion Data Source Decryption

The Problem

Have you ever needed to decrypt the passwords stored in ColdFusion’s [ColdFusion Install Dir]\lib\neo-datasource.xml file? Whether you are migrating between servers or are just curious what that password is, it’s a pain as an admin to work around the extra layer of security.

Reverse Engineering the Passwords

From ColdFusion 8 (probably older) to ColdFusion 9, passwords were stored encrypted. However it is well known that Adobe hard coded the seed “0yJ!@1$r8p0L@r1$6yJ!@1rj” and used the algorithm 3DES and then stored the password with Base64 encoding. This meant that for years, if any neo-datasource.xml or neo-query.xml files were compromised, anyone could reverse engineer the passwords.

Starting with ColdFusion 10 and 11 (and likely moving forward) the passwords are now generated from a random seed found in the [ColdFusion Install Dir]\lib\ file. This makes it impossible for a leaked neo-datasource.xml file to be reverse engineered without having the seed. Furthermore, there are likely multiple algorithms as you will find the algorithm “AES/CBC/PKCS5Padding” in most of the files as well.

Further Reading

While the encryption is “better” in ColdFusion 10 and later versions, we must always remember that there are some things which cannot be protected. An example of that is the effort to encrypt DVDs because, if the DVD player needed to decrypt the DVD to show it to you that means that the DVD player held the means to decrypt it. Similarly, if the ColdFusion data source passwords needed to be decrypted to establish the connection to the database, the means to decrypt any stored password must also be present. This will not change, it will only be a matter of time/effort before it is reverse-engineered.

My Solution

Since encryption can be confusing (I won’t judge Adobe/ColdFusion’s popularity here) there seems to be no easy way for an admin to decrypt these passwords. This is where my ColdFusion Decryptor program comes in. Simply feed it a single password, or an entire neo-datasource.xml file, and it spits out the decrypted information for you. You’re Welcome =)


ColdFusion Decryptor

Download Link:

To Use the ColdFusion Decryptor, you first need to know what version of ColdFusion you are wanting to decrypt. If it’s 10 or higher, first fill in the ColdFusion 10+ Seed box. Once this is done, you can then either input a single encrypted string from the neo-datasource.xml file or select the whole damn neo-datasource.xml file, your choice =). After Selecting a file it will automatically be parsed. Please note that the only supported algorithm for ColdFusion 10 or newer is “AES/CBC/PKCS5Padding” (you can find your algorithm in the file).

This should work to decrypt ColdFusion passwords from Windows or Linux servers.

It’s that simple. Have fun! As is no warranties. No Whining.

Xeoma Review

My Video Surveillance Experience

A few years ago I took it upon myself to install and configure a video surveillance system. Not because I live in a bad neighborhood, but for a sense of security and it made for a low cost project that I could use for years to come. I started with some old computer hardware and some low cost PoE cameras from Amazon. Nothing special just and old quad-core desktop, a couple of hard drives, and a PoE switch. My goal was to have a system I could view and record anytime of the day or night from anywhere with security in mind.

I started with one of the largest open sourced surveillance systems ZoneMinder and connected the cameras to a PoE switch. I was able to achieve most of my goals with the software, but ultimately after several months of consistently tinkering with settings and crawling the net for help, I decided to search for something that was more transparent. This was when I found Xeoma. After playing with the trial version I ended up re-imaging the computer with Ubuntu Server and was easily able to get Xeoma configured to meet most of goals.

Why Xeoma?

Right away I saw better performance with Xeoma than I did with Zoneminder. The video streams were consistent (awesome frame-rate), the server was under less load, native support for all major operating systems, and the amount of bandwidth each video steam took had declined (it was WayCool to see that the bandwidth used to view correlated directly with the application size). Overall the software just worked. However, it lacked one key item, security. I had noticed that the credentials used to connect to Xeoma were in clear text! While it’s unlikely that this would have ever been an issue, it went against my morals so I contacted Xeoma. A short while later Xeoma pushed an update to use an SSL to encrypt the credentials. Problem solved, goal met!

Today I continue to use Xeoma and have recommended it to several friends. While not free, I am completely willing to pay for software that works well, especially seeing that Xeoma actively listened to their users. I believe Xeoma’s cost is fair, in that you only pay to continue receiving updates to the software (I like to think of it as supporting the dev’s that put in the time). Over time the software has continued to fulfill my desires. I have been able to configure it to send SMS videos when there are motion based alerts, integrated it to work with IFTTT so that I can change settings automatically based on my phones location, and even run other scripts based on Xeoma’s logic.

Plesk Password Encryption on Windows

Plesk Encryption

Plesk, love it or hate it it’s the most popular control panel used on Windows servers. I’ve had the unfortunate experience of working with the panel since Plesk 8. Fortunately, it has been improved over the years and I’ve grown to like it. Over the course of it’s life Plesk (v10 to be exact) finally made the choice to not store passwords in clear text. This was one of the best choices they could have made for the sake of security. However, this has made it difficult for IT admins to quickly replicate an end user problem. So today I discuss how to bring that symmetrically encrypted password back to clear text!

If I haven’t lost you yet, here is the one-liner to get the password in the clear on a Windows OS:

"%plesk_dir%\admin\bin\php.exe" -r "echo plesk_symmetric_decrypt('ENCRYPTED_STRING_HERE');"

What does this do?

The Windows command line command above uses the Plesk environment variable along with the path to Plesk’s PHP to run (-r means without script tags) an echo command through PHP using Plesk’s own function (plesk_symmetric_decrypt) to get the password. In short, all you need to do is replace the text ‘ENCRYPTED_STRING_HERE’ with the password from Plesk’s database and the clear text will be sent to the command line output. WayCool hu?

Additional Information

There are a few things to note regarding this:

  1. The command must be executed from the same server which the encrypted string was found on.
  2. Only passwords with the type ‘sym’ (Symmetric-key) can be decrypted using this function.
  3. Passwords with the type ‘crypt’  cannot be reverse-engineered (as far as I’m aware). These passwords use PHP’s Crypt method explained here and will likely start with ‘$5$’ in Plesk’s database .

If you are unsure where in Plesk’s database the passwords are stored, try using  HeidiSQL (or Plesk’s dbclient.exe command) and browsing the sys_users and databaseservers tables which link back to the accounts table by account_id.


If have any thoughts on this, be WayCool and drop a comment below!