BSidesLV 2024 Slides - Modern ColdFusion Exploitation and Attack Surface Reduction

Thank you to BSidesLV for the opportunity to speak this year.  The slides from my talk, Modern ColdFusion Exploitation and Attack Surface Reduction, are now online below.  They're pretty similar to my Summercon slides, with a few updates.

From: Hoya Haxa - A Security Research Blog

On ColdFusion Administrator Access Control Bypass Techniques

IntroductionAccess Control is frequently boring but important.

From: Hoya Haxa - A Security Research Blog

Summercon 2024 Slides - Modern ColdFusion Exploitation and Attack Surface Reduction

Last Friday it was an absolute honor to talk about ColdFusion security at Summercon.

From: Hoya Haxa - A Security Research Blog

Bypassing Imperva SecureSphere WAF (CVE-2023-50969)

Background Imperva SecureSphere Web Application Firewall (WAF) is an on-premise security solution to inspect, monitor and block traffic to web applications.

From: Hoya Haxa - A Security Research Blog

Defending Against CVE-2024-20767 (ColdFusion Arbitrary File System Read)

Technical details for CVE-2024-20767 (ColdFusion Arbitrary File System Read) from APSB24-14 have now been publicly disclosed by the researcher who reported it to Adobe PSIRT:  https://jeva.

From: Hoya Haxa - A Security Research Blog

If You're Running an Intranet Connections Lucee Instance, Ensure That You've Change the Default Lucee Admin Password

Last week, researchers at Sprocket Security wrote about post-exploitation in Lucee via malicious extensions.

From: Hoya Haxa - A Security Research Blog

What Does ColdFusion's verifyClient() Do?

I recently saw a ColdFusion question about verifyClient and remote CFC functions.

From: Hoya Haxa - A Security Research Blog

Thinking Defensively About Three Recent Lucee Vulnerabilities

Last week, Harsh Jaiswal and Rahul Maini from ProjectDiscovery released some impressive security research on multiple vulnerabilities in Lucee (and Mura CMS and Masa CMS).

From: Hoya Haxa - A Security Research Blog

A Christmas Post: Beer and Bounties

Christmas came early this year in Potrero Hill and it was sad news for craft beer drinkers.

From: Hoya Haxa - A Security Research Blog

Critical Variable Mass Assignment Vulnerability in Adobe ColdFusion (CVE-2023-44350)

BackgroundAdobe ColdFusion is vulnerable to a Mass Assignment vulnerability that can result in an attacker being able to modify the value of any variable in any scope within the context of remote CFC methods.

From: Hoya Haxa - A Security Research Blog

New Blog Domain - www.hoyahaxa.com

I recently moved my blog over to a custom domain -- https://www.

From: Hoya Haxa - A Security Research Blog

ColdFusion, Connectors, and CFAdmin Security (for more than just ColdFusion 2023 Update 5 and ColdFusion 2021 Update 11)

IntroductionThis post is about ColdFusion 2023 Update 5 and ColdFusion 2021 Update 11, but it's also about more than just those versions.

From: Hoya Haxa - A Security Research Blog

Exploiting CVE-2017-11286 Six Years Later: XXE in ColdFusion via WDDX Packet

IntroductionπŸŽˆπŸŽ‚πŸŽ‚πŸŽ‚πŸŽ‚πŸŽ‚πŸŽ‚πŸŽˆSix years ago today, on September 12, 2017, Adobe released APSB17-30.

From: Hoya Haxa - A Security Research Blog

Technical Details for CVE-2023-29301: Adobe ColdFusion Access Control Bypass for a CFAdmin Authentication Component

BackgroundIn this post I'll be walking though CVE-2023-29301, which is an access control bypass / password brute force vulnerability in Adobe ColdFusion that I reported to Adobe and was fixed on July 11, 2023 in Adobe Product Security Bulletin APSB23-40.

From: Hoya Haxa - A Security Research Blog

On ColdFusion, AES, and Padding Oracle Attacks: Hic Sunt Dracones

TL; DR: If you use AES-CBC (or another block cipher operating in CBC mode) to decrypt user-controlled ciphertext, validate the ciphertext with an HMAC or similar integrity check prior to decryption to avoid Padding Oracle vulnerabilities.

From: Hoya Haxa - A Security Research Blog

Why You Don't Want To Use CFMX_COMPAT Encryption

This is the first of what may be a couple of posts about my presentation from ColdFusion Summit East 2023, which was held in April in Washington, DC.

From: Hoya Haxa - A Security Research Blog

Authentication Bypass Vulnerability in Mura CMS and Masa CMS (CVE-2022-47003 and CVE-2022-47002)

BackgroundMura CMS is a popular content management system written in ColdFusion/CFML.

From: Hoya Haxa - A Security Research Blog

On ColdFusion, XXE, and other XML Attacks

An IntroductionThis is the first of what may become a few blog posts based on my CFSummit 2022 talk.

From: Hoya Haxa - A Security Research Blog

Slides from ColdFusion Summit 2022 - "Below the Surface: Web Vulnerabilities Hiding in your Applications"

Photo credit: @coldfumonkehI attended my first CFSummit, where I talked about a handful of web vulnerability classes (SSRF, Session Puzzles, Cryptography flaws, and XML attacks) that might be overlooked by some ColdFusion/CFML developers.

From: Hoya Haxa - A Security Research Blog

Stupid Unix Tricks - Using $IFS in Web Application Command Injection Vulnerabilities for Full RCE

Awhile ago I was testing a web application and found a command injection vulnerability.

From: Hoya Haxa - A Security Research Blog