Pete Freitag Pete Freitag

RDS Security Problems?

Published on September 09, 2005
By Pete Freitag
coldfusion

Erki Esken posted a comment on Ben Forta's blog asking if the source to the RDS plugin for Eclipse would be released. Forta's response was:

"But, my gut feel is that it would not be a good idea to fully expose the source for RDS as that may create potential security problems."

Wait a second there. I can understand that Macromedia may not want to release the source for business reasons. I have no problem with that. But suggesting that the the source code would create security problems for ColdFusion, well either the security problem is there, or it isn't. The source code isn't going to create the problem, and keeping the source code for RDS closed isn't going to make it go away.

Now I know that Macromedia has recommended that folks disable RDS in production as a best practice in various technotes. But they also state on their web site:

ColdFusion RDS allows developers to securely access remote files and data sources, and debug CFML code.
Macromedia Technote: 17276 second paragraph.

My concerns are this:

  • If there is an actual security problem with RDS besides folks authenticating in plain text (if your not using SSL) that Macromedia knows about, then ethically they should release a patch, and come forward with it.
  • It is published on their web site that the protocol doesn't send the passwords in plain text, so this is nothing new. Since Ben said it would "create potential security problems" this suggests that he may be talking about something that isn't published already.
  • Many people do infact use RDS, despite best practice, my poll showed that 40% of my readers use RDS.
  • Macromedia is sending a mixed message by saying its secure, but you should disable it for security reasons.

I'm hopeful this can be resolved with another comment by Ben. I'm not trying to cause trouble here, it just doesn't sit well with me.

In closing I want to mention that I think its great Macromedia is building this plugin, I don't have a problem with it being closed source. Don't get me wrong, I'd love to see the RDS protocol open, but I'm not going to hold my breath.

Update: Ben has cleared up things in his blog post, please check it out.

I'm going to be out of town this weekend, so I won't be able to reply to any comments, until sunday night or monday.



macromedia coldfusion security rds eclipse

RDS Security Problems? was first published on September 09, 2005.

If you like reading about macromedia, coldfusion, security, rds, or eclipse then you might also like:

Fixinator

The Fixinator Code Security Scanner for ColdFusion & CFML is an easy to use security tool that every CF developer can use. It can also easily integrate into CI for automatic scanning on every commit.


Try Fixinator

CFBreak
The weekly newsletter for the CFML Community


Comments

I think you missed the point on this one, see my reply to your comment in my original post.
by Ben Forta on 09/09/2005 at 2:37:04 PM UTC
Thanks for clearing that up ben, I've updated this entry to reflect that.

-pete
by Pete Freitag on 09/09/2005 at 3:05:44 PM UTC
why dont u shoe d birth date. the year is incorrect. i thought 4 b"date no security wud be there dats y i filled wrong year. so pls. let me fill d correct date.
thankyou.
by barbie on 01/05/2006 at 3:24:49 AM UTC
Unable to go to trackback url - "missing url variable" Wanted to say I'm interested in what ben says about RDS - I must admit great frustration regarding this issue. We have several years into CF CMS but have never been able to use CF/RDS w/DW. Sad truth is that virtually all hosting companies disable RDS on shared hosting for macromedia's own warnings. It is my opinion that many mac developers go asp vs. cf because they can connect and develop with dreamweaver. Everything we have built with cf we have handcoded. Emancipate me.
by Matthew Lipscomb on 09/13/2006 at 3:17:04 PM UTC