Critical Variable Mass Assignment Vulnerability in Adobe ColdFusion (CVE-2023-44350)

BackgroundAdobe ColdFusion is vulnerable to a Mass Assignment vulnerability that can result in an attacker being able to modify the value of any variable in any scope within the context of remote CFC methods.

From: Hoya Haxa - A Security Research Blog

New Blog Domain - www.hoyahaxa.com

I recently moved my blog over to a custom domain -- https://www.

From: Hoya Haxa - A Security Research Blog

ColdFusion, Connectors, and CFAdmin Security (for more than just ColdFusion 2023 Update 5 and ColdFusion 2021 Update 11)

IntroductionThis post is about ColdFusion 2023 Update 5 and ColdFusion 2021 Update 11, but it's also about more than just those versions.

From: Hoya Haxa - A Security Research Blog

Exploiting CVE-2017-11286 Six Years Later: XXE in ColdFusion via WDDX Packet

IntroductionπŸŽˆπŸŽ‚πŸŽ‚πŸŽ‚πŸŽ‚πŸŽ‚πŸŽ‚πŸŽˆSix years ago today, on September 12, 2017, Adobe released APSB17-30.

From: Hoya Haxa - A Security Research Blog

Technical Details for CVE-2023-29301: Adobe ColdFusion Access Control Bypass for a CFAdmin Authentication Component

BackgroundIn this post I'll be walking though CVE-2023-29301, which is an access control bypass / password brute force vulnerability in Adobe ColdFusion that I reported to Adobe and was fixed on July 11, 2023 in Adobe Product Security Bulletin APSB23-40.

From: Hoya Haxa - A Security Research Blog

On ColdFusion, AES, and Padding Oracle Attacks: Hic Sunt Dracones

TL; DR: If you use AES-CBC (or another block cipher operating in CBC mode) to decrypt user-controlled ciphertext, validate the ciphertext with an HMAC or similar integrity check prior to decryption to avoid Padding Oracle vulnerabilities.

From: Hoya Haxa - A Security Research Blog

Why You Don't Want To Use CFMX_COMPAT Encryption

This is the first of what may be a couple of posts about my presentation from ColdFusion Summit East 2023, which was held in April in Washington, DC.

From: Hoya Haxa - A Security Research Blog

Authentication Bypass Vulnerability in Mura CMS and Masa CMS (CVE-2022-47003 and CVE-2022-47002)

BackgroundMura CMS is a popular content management system written in ColdFusion/CFML.

From: Hoya Haxa - A Security Research Blog

On ColdFusion, XXE, and other XML Attacks

An IntroductionThis is the first of what may become a few blog posts based on my CFSummit 2022 talk.

From: Hoya Haxa - A Security Research Blog

Slides from ColdFusion Summit 2022 - "Below the Surface: Web Vulnerabilities Hiding in your Applications"

Photo credit: @coldfumonkehI attended my first CFSummit, where I talked about a handful of web vulnerability classes (SSRF, Session Puzzles, Cryptography flaws, and XML attacks) that might be overlooked by some ColdFusion/CFML developers.

From: Hoya Haxa - A Security Research Blog

Stupid Unix Tricks - Using $IFS in Web Application Command Injection Vulnerabilities for Full RCE

Awhile ago I was testing a web application and found a command injection vulnerability.

From: Hoya Haxa - A Security Research Blog

Bygone Vulnerabilities - Remote Code Execution in Oracle Reports 10g/11g

Looking back at old vulnerabilities can be both fun and useful.

From: Hoya Haxa - A Security Research Blog

Stupid Unix Tricks - Escaping a Restricted Shell

Welcome to the first post of what may become a series - Stupid Unix Tricks.

From: Hoya Haxa - A Security Research Blog

SSRF in ColdFusion/CFML Tags and Functions

TL;DR: Several ColdFusion/CFML tags and functions can process URLs as file path arguments -- including some tags and and functions that you might not expect.

From: Hoya Haxa - A Security Research Blog