The Problem

Have you ever needed to decrypt the passwords stored in ColdFusion’s [ColdFusion Install Dir]\lib\neo-datasource.xml file? Whether you are migrating between servers or are just curious what that password is, it’s a pain as an admin to work around the extra layer of security.

Reverse Engineering the Passwords

From ColdFusion 8 (probably older) to ColdFusion 9, passwords were stored encrypted. However it is well known that Adobe hard coded the seed “0yJ!@1$r8p0L@r1$6yJ!@1rj” and used the algorithm 3DES and then stored the password with Base64 encoding. This meant that for years, if any neo-datasource.xml or neo-query.xml files were compromised, anyone could reverse engineer the passwords.

Starting with ColdFusion 10 and 11 (and likely moving forward) the passwords are now generated from a random seed found in the [ColdFusion Install Dir]\lib\ file. This makes it impossible for a leaked neo-datasource.xml file to be reverse engineered without having the seed. Furthermore, there are likely multiple algorithms as you will find the algorithm “AES/CBC/PKCS5Padding” in most of the files as well.

Further Reading

While the encryption is “better” in ColdFusion 10 and later versions, we must always remember that there are some things which cannot be protected. An example of that is the effort to encrypt DVDs because, if the DVD player needed to decrypt the DVD to show it to you that means that the DVD player held the means to decrypt it. Similarly, if the ColdFusion data source passwords needed to be decrypted to establish the connection to the database, the means to decrypt any stored password must also be present. This will not change, it will only be a matter of time/effort before it is reverse-engineered.

My Solution

Since encryption can be confusing (I won’t judge Adobe/ColdFusion’s popularity here) there seems to be no easy way for an admin to decrypt these passwords. This is where my ColdFusion Decryptor program comes in. Simply feed it a single password, or an entire neo-datasource.xml file, and it spits out the decrypted information for you. You’re Welcome =)


ColdFusion Decryptor

Download Link:

To Use the ColdFusion Decryptor, you first need to know what version of ColdFusion you are wanting to decrypt. If it’s 10 or higher, first fill in the ColdFusion 10+ Seed box. Once this is done, you can then either input a single encrypted string from the neo-datasource.xml file or select the whole damn neo-datasource.xml file, your choice =). After Selecting a file it will automatically be parsed. Please note that the only supported algorithm for ColdFusion 10 or newer is “AES/CBC/PKCS5Padding” (you can find your algorithm in the file).

This should work to decrypt ColdFusion passwords from Windows or Linux servers.

It’s that simple. Have fun! As is no warranties. No Whining.

Leave a Reply

Your email address will not be published. Required fields are marked *