RDS Security Problems?
Erki Esken posted a comment on Ben Forta's blog asking if the source to the RDS plugin for Eclipse would be released. Forta's response was:
"But, my gut feel is that it would not be a good idea to fully expose the source for RDS as that may create potential security problems."
Wait a second there. I can understand that Macromedia may not want to release the source for business reasons. I have no problem with that. But suggesting that the the source code would create security problems for ColdFusion, well either the security problem is there, or it isn't. The source code isn't going to create the problem, and keeping the source code for RDS closed isn't going to make it go away.
Now I know that Macromedia has recommended that folks disable RDS in production as a best practice in various technotes. But they also state on their web site:
ColdFusion RDS allows developers to securely access remote files and data sources, and debug CFML code.
Macromedia Technote: 17276 second paragraph.
My concerns are this:
- If there is an actual security problem with RDS besides folks authenticating in plain text (if your not using SSL) that Macromedia knows about, then ethically they should release a patch, and come forward with it.
- It is published on their web site that the protocol doesn't send the passwords in plain text, so this is nothing new. Since Ben said it would "create potential security problems" this suggests that he may be talking about something that isn't published already.
- Many people do infact use RDS, despite best practice, my poll showed that 40% of my readers use RDS.
- Macromedia is sending a mixed message by saying its secure, but you should disable it for security reasons.
I'm hopeful this can be resolved with another comment by Ben. I'm not trying to cause trouble here, it just doesn't sit well with me.
In closing I want to mention that I think its great Macromedia is building this plugin, I don't have a problem with it being closed source. Don't get me wrong, I'd love to see the RDS protocol open, but I'm not going to hold my breath.
Update: Ben has cleared up things in his blog post, please check it out.
I'm going to be out of town this weekend, so I won't be able to reply to any comments, until sunday night or monday.
Like this? Follow me ↯Tweet Follow @pfreitag
RDS Security Problems? was first published on September 09, 2005.
If you like reading about macromedia, coldfusion, security, rds, or eclipse then you might also like:
- OpenSSL and ColdFusion / Lucee / Tomcat
- ColdFusion Security Training Class December 2022
- ColdFusion Summit 2022 Slides
- Ways to suppress a finding in Fixinator
- Spring4Shell and ColdFusion
- Log4j CVE-2021-44228 Log4Shell Vulnerability on ColdFusion / Lucee
- ColdFusion 2020 Developer Week - Securing CF
- Fixinator and Foundeo Security Bundle
The Fixinator Code Security Scanner for ColdFusion & CFML is an easy to use security tool that every CF developer can use. It can also easily integrate into CI for automatic scanning on every commit.