An Initial Analysis of Adobe ColdFusion CVE-2024-53961
A ColdFusion security patch released two days before Christmas? I have a feeling that may have resulted in many sysadmins shouting "Fiddlesticks!" (or perhaps another f-word) earlier today.
BSidesLV 2024 Slides - Modern ColdFusion Exploitation and Attack Surface Reduction
Thank you to BSidesLV for the opportunity to speak this year. The slides from my talk, Modern ColdFusion Exploitation and Attack Surface Reduction, are now online below. They're pretty similar to my Summercon slides, with a few updates.
On ColdFusion Administrator Access Control Bypass Techniques
IntroductionAccess Control is frequently boring but important.
Summercon 2024 Slides - Modern ColdFusion Exploitation and Attack Surface Reduction
Last Friday it was an absolute honor to talk about ColdFusion security at Summercon.
Bypassing Imperva SecureSphere WAF (CVE-2023-50969)
Background Imperva SecureSphere Web Application Firewall (WAF) is an on-premise security solution to inspect, monitor and block traffic to web applications.
Defending Against CVE-2024-20767 (ColdFusion Arbitrary File System Read)
Technical details for CVE-2024-20767 (ColdFusion Arbitrary File System Read) from APSB24-14 have now been publicly disclosed by the researcher who reported it to Adobe PSIRT: https://jeva.
If You're Running an Intranet Connections Lucee Instance, Ensure That You've Change the Default Lucee Admin Password
Last week, researchers at Sprocket Security wrote about post-exploitation in Lucee via malicious extensions.
One Reason Why Your ColdFusion Server May Still Be Vulnerable Even With the Latest Security Updates Installed
Next Tuesday is Adobe Patch Tuesday.
What Does ColdFusion's verifyClient() Do?
I recently saw a ColdFusion question about verifyClient and remote CFC functions.
Thinking Defensively About Three Recent Lucee Vulnerabilities
Last week, Harsh Jaiswal and Rahul Maini from ProjectDiscovery released some impressive security research on multiple vulnerabilities in Lucee (and Mura CMS and Masa CMS).
A Christmas Post: Beer and Bounties
Christmas came early this year in Potrero Hill and it was sad news for craft beer drinkers.
Critical Variable Mass Assignment Vulnerability in Adobe ColdFusion (CVE-2023-44350)
BackgroundAdobe ColdFusion is vulnerable to a Mass Assignment vulnerability that can result in an attacker being able to modify the value of any variable in any scope within the context of remote CFC methods.
New Blog Domain - www.hoyahaxa.com
I recently moved my blog over to a custom domain -- https://www.
ColdFusion, Connectors, and CFAdmin Security (for more than just ColdFusion 2023 Update 5 and ColdFusion 2021 Update 11)
IntroductionThis post is about ColdFusion 2023 Update 5 and ColdFusion 2021 Update 11, but it's also about more than just those versions.
Exploiting CVE-2017-11286 Six Years Later: XXE in ColdFusion via WDDX Packet
IntroductionππππππππSix years ago today, on September 12, 2017, Adobe released APSB17-30.
Technical Details for CVE-2023-29301: Adobe ColdFusion Access Control Bypass for a CFAdmin Authentication Component
BackgroundIn this post I'll be walking though CVE-2023-29301, which is an access control bypass / password brute force vulnerability in Adobe ColdFusion that I reported to Adobe and was fixed on July 11, 2023 in Adobe Product Security Bulletin APSB23-40.
On ColdFusion, AES, and Padding Oracle Attacks: Hic Sunt Dracones
TL; DR: If you use AES-CBC (or another block cipher operating in CBC mode) to decrypt user-controlled ciphertext, validate the ciphertext with an HMAC or similar integrity check prior to decryption to avoid Padding Oracle vulnerabilities.
Why You Don't Want To Use CFMX_COMPAT Encryption
This is the first of what may be a couple of posts about my presentation from ColdFusion Summit East 2023, which was held in April in Washington, DC.
Slides from ColdFusion Summit East 2023 - "Codes, Ciphers, and ColdFusion: What They Don't Want You To Know"
I spoke at ColdFusion Summit East 2023 last week.
Authentication Bypass Vulnerability in Mura CMS and Masa CMS (CVE-2022-47003 and CVE-2022-47002)
BackgroundMura CMS is a popular content management system written in ColdFusion/CFML.
Preliminary Security Advisory - Authentication Bypass Vulnerability in Mura CMS and Masa CMS (CVE-2022-47003 and CVE-2022-47002)
Update March 6, 2023 - the full security advisory has been posted here: https://hoyahaxa.
On ColdFusion, XXE, and other XML Attacks
An IntroductionThis is the first of what may become a few blog posts based on my CFSummit 2022 talk.
Slides from ColdFusion Summit 2022 - "Below the Surface: Web Vulnerabilities Hiding in your Applications"
Photo credit: @coldfumonkehI attended my first CFSummit, where I talked about a handful of web vulnerability classes (SSRF, Session Puzzles, Cryptography flaws, and XML attacks) that might be overlooked by some ColdFusion/CFML developers.
Bygone Vulnerabilities - Remote Code Execution in IBM Lotus SameTime Clients (CVE-2013-0553)
IntroductionIt's time to dive into another old vulnerability.