tracker issue : CF-3187494

select a category, or use search below
(searches all categories and all time range)
Title:

CF 10, Administrator Password Setting Issue.

| View in Tracker

Status/Resolution/Reason: Closed/Withdrawn/UserError

Reporter/Name(from Bugbase): / ext-user (Simarpreet Singh Bhatia)

Created: 05/10/2012

Components: Administrator, Administrator Console

Versions: 10.0

Failure Type:

Found In Build/Fixed In Build: 10,282462 /

Priority/Frequency: Major / All users will encounter

Locale/System: ALL / Win XP All

Vote Count: 2

Problem:

Installed CF 10, but post install, at the configuration screen, forgot my password. So, we navigated to the “neo-security.xml” and changed the “admin.security.enabled” attribute from true to false? re-started the server.
 
Post this, we were successfully navigated inside the CF administrator. Now, we wish to set an admin password and thus go to: Security? Administrator? select Use Single password only option
 
Once we enter the “New” and “Confirm” password and Submit changes, it is giving us an error message to “Enter the Old Password, as the same cannot be left blank”.
 
Logically, it shouldn’t: the user doesn’t remember the password which he/she has used during install, therefore changes have been made in the neo file to by-pass the login screen and then set the admin password via the Security option available inside. {which we are not able to do/achieve}


****  Please note that, once this process is done the “admin.security.enabled” attribute also changes to True {even if the password is not set}
Comparing to CF9: This was not the behavior in CF9 and we were able to set a new admin password.
Method: na

Result: 

Once we enter the “New” and “Confirm” password and Submit changes, it is giving us an error message to “Enter the Old Password, as the same cannot be left blank”.

Expected:

Moving from “no authentication needed” to any other password option should not prompt for old password information.

Workaround: na

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3187494

External Customer Info:
External Company:  
External Customer Name:  
External Customer Email:

Attachments:

Comments:

Same bug encountered on Win 2008 R2
Comment by External U.
19480 | June 06, 2012 02:21:05 AM GMT
Correction, the behaviour is a little bit different on 2008 R2 i believe the bug is in the login.cfm. After the installation, before the configuration screen our login failed as well, though we were 100% sure about the password. Once set to false in neo-security.xml, we could bypass the login. In the administrator we could change the admin password, he would accept our old password (which didn't work for login) and we could set a new one. Though after logout, we could not login with the new one either, so again to neo-security.xml to be able to login. Again, we could change the new password with another one in the administrator. My guess is there is something wrong with the seed/hash calculation in the admin login.cfm on win 2008 R2
Comment by External U.
19481 | June 06, 2012 02:25:53 AM GMT
This is a major bug. I can confirm this. It is also a security hole.
Vote by External U.
19488 | August 27, 2012 11:20:19 AM GMT
Big issue!
Comment by External U.
19482 | August 27, 2012 11:20:59 AM GMT
You are not supposed to make changes in the neo-security.xml directly :-). Since the password is secure hashed and stored here, making changes directly to this will surely mess things up. In case you have forgotten the password, CF 10 ships an utility 'passwordreset.bat/passwordreset.sh' in the 'bin' directly to reset the passwords. Check that out and let us know if that does not work
Comment by Rupesh K.
19483 | August 27, 2012 02:21:08 PM GMT
It is exactly that utility (passwordreset.bat) that we used to try to reset it, to no avail. The only way to get into the administrator afterwards was setting admin.security.enabled to false in the neo-security.xml . We never set a password directly in the neo-security.xml, neither did we report that we did this. I will download and evaluate the new 10.0.1 update and see if the bug still exists. If it does, we will unfortunately not go live with version 10. It needs to be solved.
Comment by External U.
19484 | September 03, 2012 04:47:53 AM GMT
The bug is solved in 10.0.1 ! I think I found the reason. Exuting passwordreset.bat resulted in an error trying to access password.properties (access denied). It did not give this error in the previous version of Coldfusion 10. it makes sence that the passwordreset.bat is executed with administrative privileges to have write access to the password.properties file. If the error would have been rised properly in the previous version, we would have been able to fix it right away. Regards, Stijn
Comment by External U.
19485 | September 03, 2012 05:04:23 AM GMT
This needs reopening. the way it's been implemented defies common sense. It might have been "user error" (as per the excuse for closing it), but it's user error borne of quite reasonable expectations of common sense not being implemented by CFAdmin. (NB: this is not a theoretical gripe, I was just caught out by this too). -- Adam
Vote by External U.
19489 | January 09, 2013 02:03:44 PM GMT
It's one thing to tell user's not to modify the neo-*.xml files directly like in the Notes here, but I just did it because I was following the docs. https://helpx.adobe.com/coldfusion/kb/forgotten-password-cannot-log-coldfusion.html Fix 'em
Comment by External U.
19486 | February 09, 2016 11:53:28 PM GMT
Hahaha, nice one Adobe / Rupesh. Not reading from the same hymn sheet, it would seem
Comment by External U.
19487 | February 11, 2016 06:30:10 AM GMT