Encrypt Password Submission From Lucee Admin

Hello,

Recently, our company had a cybersecurity audit done. One of the issues that was flagged was that cleartext passwords were being submitted from the Lucee admin login page. I have been tasked to fix this vulnerability, but I don’t have a lot of experience and am unsure how to proceed. Has anyone else dealt with this issue that could give me some advice?

Thank you.

Use SSL.

According to the report that we received from the consulting company, they detected the vulnerability not via hostname, but by IP address. How would I use an SSL on IPAddress/lucee/admin/server.cfm?

Refer to the documentation for your web server (Apache/IIS/Nginx/etc) You’ll need to purchase an SSL cert, which most every site has these days. If you have an SSL site, but not all virtual hosts are enforcing SSL, then adjust your web server configuration. Whether it’s a hostname or an IP doesn’t really matter.

FWIW, if this was a pentest performed internally and they were just hitting the Lucee server directly (bypassing a front-end proxy) then I would log that the access is over an internal network and therefore mitigated. That’s my opinion anyway. I’ve never put SSL on an internal server just for this reason.

Scanning by IP is normal, which would result in bad ssl or no ssl.
You can setup a bad ssl certificate (self installed) and map it to the IP address.
Its better though from a security standpoint to lock off your application servers, or web servers on their own DMZ / VLAN.
Nearly all modern smart switches support VLAN tagging. If you really want to get into security, you can further use firewalls both waf and hardware based to further lock down your config. This goes far beyond the topic of lucee and can go down to how much time and money will you sink for the placebo of security.

2 Likes

letsencrypt does wildcard certs these days, so it’s not that hard to have SSL for all your servers

5 Likes

Just a little note on this, just for the case… If you can hit the Lucee admin by submitting the pure IP-Address of your Lucee box, I’m pretty sure the webcontext is coming from the default web context of Tomcat. If this is the case, it could also be possible to get to the lucee admin by spoofing the hostnames in the client in combination with that IP set in your OS host file. In such case I’d try blocking any request coming from any other than localhost by urlRewrite in Tomcat for the default web-context.

1 Like

@andreas That’s exactly how I ended up resolving this as of this morning. I used URLRewrite to put up a 403 Forbidden page if accessed via IP.

1 Like

Sounds like not the issue but fwiw, a couple of years ago I did up a post on how to set up a self signed SSL cert on a windows intranet to avoid browser warnings and ensure admin access is encrypted locally. It’s a bit of a PITA but can be done.

(I’ve also done a walk through setting up LetEncrypt fwiw)

2 Likes