Administrator.cfc only provides access the current web context using server password

Description

Using the server password, it should be possible to access/update every web context,
currently you can only access the current web context.

Environment

None

Activity

Show:
Pothys - MitrahSoft
March 30, 2020, 12:13 PM

Hey , I couldn't able to understand. What you mean by the "Every Web context".
Could you please elaborate on this?

Zac Spitzer
March 30, 2020, 12:28 PM

I want to be able to access any web context settings from the server context, not just the current one

Pothys - MitrahSoft
March 30, 2020, 4:05 PM
  • In lucee, we can't able to access web context with server context password.

  • Ever web context has its own password, from that can only we can access administrator.cfc.

  • Every webcontext has its own administrator.CFC so that it points to the current webcontext.

  • We couldn't able to access another webcontext from the current one.
    Micha has some ideas about this.

Zac Spitzer
March 30, 2020, 4:21 PM

If I have server access, I can always reset the web context password.
If I have server access, I can access web context without a password since /

For example,

  • I would like to create an extension which reads all the debug logs from all contexts and then produce a report about slow queries or implicit access variables for the entire server.

  • I can't currently read the logging config for other web contexts for my log viewer extension, currently I only just read the log files from the file system

Zac Spitzer
May 5, 2020, 7:55 PM

The thing is, it’s very common to use a CDN like cloudflare in front a of a Lucee website, but it’s also best practise to lock down the Lucee admin to only local access, which doesn’t work if your hostname resolves to cloudflare, as all requests end up coming from the CDN

This makes it very hard to access the Lucee admin via the website context, if this change was made, we could do all admin directly via tomcat on port 8888, which is usually blocked at the firewall and thus more secure

Assignee

Michael Offner

Reporter

Zac Spitzer

Priority

New

Labels

Fix versions

None

Affects versions

Configure