1/13/25, 12:55 PM
Coldfusion
1/13/25, 12:55 PM
Coldfusion
An Initial Analysis of Adobe ColdFusion CVE-2024-53961
A ColdFusion security patch released two days before Christmas? I have a feeling that may have resulted in many sysadmins shouting "Fiddlesticks!" (or perhaps another f-word) earlier today.
12/24/24, 3:53 AM
Coldfusion
An Initial Analysis of Adobe ColdFusion CVE-2024-53961
A ColdFusion security patch released two days before Christmas? I have a feeling that may have resulted in many sysadmins shouting "Fiddlesticks!" (or perhaps another f-word) earlier today.
12/24/24, 3:53 AM
Coldfusion
BSidesLV 2024 Slides - Modern ColdFusion Exploitation and Attack Surface Reduction
Thank you to BSidesLV for the opportunity to speak this year. The slides from my talk, Modern ColdFusion Exploitation and Attack Surface Reduction, are now online below. They're pretty similar to my Summercon slides, with a few updates.
8/8/24, 3:33 PM
Coldfusion
BSidesLV 2024 Slides - Modern ColdFusion Exploitation and Attack Surface Reduction
Thank you to BSidesLV for the opportunity to speak this year. The slides from my talk, Modern ColdFusion Exploitation and Attack Surface Reduction, are now online below. They're pretty similar to my Summercon slides, with a few updates.
8/8/24, 3:33 PM
Coldfusion
On ColdFusion Administrator Access Control Bypass Techniques
IntroductionAccess Control is frequently boring but important.
7/24/24, 7:15 PM
Coldfusion
On ColdFusion Administrator Access Control Bypass Techniques
IntroductionAccess Control is frequently boring but important.
7/24/24, 7:15 PM
Coldfusion
Summercon 2024 Slides - Modern ColdFusion Exploitation and Attack Surface Reduction
Last Friday it was an absolute honor to talk about ColdFusion security at Summercon.
7/22/24, 9:59 PM
Coldfusion
Summercon 2024 Slides - Modern ColdFusion Exploitation and Attack Surface Reduction
Last Friday it was an absolute honor to talk about ColdFusion security at Summercon.
7/22/24, 9:59 PM
Coldfusion
Bypassing Imperva SecureSphere WAF (CVE-2023-50969)
Background Imperva SecureSphere Web Application Firewall (WAF) is an on-premise security solution to inspect, monitor and block traffic to web applications.
3/27/24, 9:00 AM
Coldfusion
Bypassing Imperva SecureSphere WAF (CVE-2023-50969)
Background Imperva SecureSphere Web Application Firewall (WAF) is an on-premise security solution to inspect, monitor and block traffic to web applications.
3/27/24, 9:00 AM
Coldfusion
Defending Against CVE-2024-20767 (ColdFusion Arbitrary File System Read)
Technical details for CVE-2024-20767 (ColdFusion Arbitrary File System Read) from APSB24-14 have now been publicly disclosed by the researcher who reported it to Adobe PSIRT: https://jeva.
3/25/24, 2:45 PM
Coldfusion
Defending Against CVE-2024-20767 (ColdFusion Arbitrary File System Read)
Technical details for CVE-2024-20767 (ColdFusion Arbitrary File System Read) from APSB24-14 have now been publicly disclosed by the researcher who reported it to Adobe PSIRT: https://jeva.
3/25/24, 2:45 PM
Coldfusion
If You're Running an Intranet Connections Lucee Instance, Ensure That You've Change the Default Lucee Admin Password
Last week, researchers at Sprocket Security wrote about post-exploitation in Lucee via malicious extensions.
3/21/24, 2:50 PM
Coldfusion
If You're Running an Intranet Connections Lucee Instance, Ensure That You've Change the Default Lucee Admin Password
Last week, researchers at Sprocket Security wrote about post-exploitation in Lucee via malicious extensions.
3/21/24, 2:50 PM
Coldfusion
One Reason Why Your ColdFusion Server May Still Be Vulnerable Even With the Latest Security Updates Installed
Next Tuesday is Adobe Patch Tuesday.
3/5/24, 5:03 AM
Coldfusion
One Reason Why Your ColdFusion Server May Still Be Vulnerable Even With the Latest Security Updates Installed
Next Tuesday is Adobe Patch Tuesday.
3/5/24, 5:03 AM
Coldfusion
What Does ColdFusion's verifyClient() Do?
I recently saw a ColdFusion question about verifyClient and remote CFC functions.
2/27/24, 6:34 AM
Coldfusion
What Does ColdFusion's verifyClient() Do?
I recently saw a ColdFusion question about verifyClient and remote CFC functions.
2/27/24, 6:34 AM
Coldfusion
Thinking Defensively About Three Recent Lucee Vulnerabilities
Last week, Harsh Jaiswal and Rahul Maini from ProjectDiscovery released some impressive security research on multiple vulnerabilities in Lucee (and Mura CMS and Masa CMS).
2/21/24, 6:23 PM
Coldfusion
Thinking Defensively About Three Recent Lucee Vulnerabilities
Last week, Harsh Jaiswal and Rahul Maini from ProjectDiscovery released some impressive security research on multiple vulnerabilities in Lucee (and Mura CMS and Masa CMS).
2/21/24, 6:23 PM
Coldfusion
A Christmas Post: Beer and Bounties
Christmas came early this year in Potrero Hill and it was sad news for craft beer drinkers.
12/23/23, 10:24 PM
Coldfusion
A Christmas Post: Beer and Bounties
Christmas came early this year in Potrero Hill and it was sad news for craft beer drinkers.
12/23/23, 10:24 PM
Coldfusion
Critical Variable Mass Assignment Vulnerability in Adobe ColdFusion (CVE-2023-44350)
BackgroundAdobe ColdFusion is vulnerable to a Mass Assignment vulnerability that can result in an attacker being able to modify the value of any variable in any scope within the context of remote CFC methods.
11/15/23, 5:01 PM
Coldfusion
Critical Variable Mass Assignment Vulnerability in Adobe ColdFusion (CVE-2023-44350)
BackgroundAdobe ColdFusion is vulnerable to a Mass Assignment vulnerability that can result in an attacker being able to modify the value of any variable in any scope within the context of remote CFC methods.
11/15/23, 5:01 PM
Coldfusion