Exploiting CVE-2017-11286 Six Years Later: XXE in ColdFusion via WDDX Packet
Introduction🎈🎂🎂🎂🎂🎂🎂🎈Six years ago today, on September 12, 2017, Adobe released APSB17-30.
Introduction🎈🎂🎂🎂🎂🎂🎂🎈Six years ago today, on September 12, 2017, Adobe released APSB17-30.
BackgroundIn this post I'll be walking though CVE-2023-29301, which is an access control bypass / password brute force vulnerability in Adobe ColdFusion that I reported to Adobe and was fixed on July 11, 2023 in Adobe Product Security Bulletin APSB23-40.
BackgroundIn this post I'll be walking though CVE-2023-29301, which is an access control bypass / password brute force vulnerability in Adobe ColdFusion that I reported to Adobe and was fixed on July 11, 2023 in Adobe Product Security Bulletin APSB23-40.
BackgroundIn this post I'll be walking though CVE-2023-29301, which is an access control bypass / password brute force vulnerability in Adobe ColdFusion that I reported to Adobe and was fixed on July 11, 2023 in Adobe Product Security Bulletin APSB23-40.
I found an interesting discussion between the community and Adobe today regarding early cfscript functionality for tags.
From: Chris Tierney
I found an interesting discussion between the community and Adobe today regarding early cfscript functionality for tags.
From: Chris Tierney
I found an interesting discussion between the community and Adobe today regarding early cfscript functionality for tags.
From: Chris Tierney
Vertically collapsing accordion UI components are simple to implement these days using native HTML.
From: cfSimplicity
Vertically collapsing accordion UI components are simple to implement these days using native HTML.
From: cfSimplicity
Vertically collapsing accordion UI components are simple to implement these days using native HTML.
From: cfSimplicity
TL; DR: If you use AES-CBC (or another block cipher operating in CBC mode) to decrypt user-controlled ciphertext, validate the ciphertext with an HMAC or similar integrity check prior to decryption to avoid Padding Oracle vulnerabilities.
TL; DR: If you use AES-CBC (or another block cipher operating in CBC mode) to decrypt user-controlled ciphertext, validate the ciphertext with an HMAC or similar integrity check prior to decryption to avoid Padding Oracle vulnerabilities.
TL; DR: If you use AES-CBC (or another block cipher operating in CBC mode) to decrypt user-controlled ciphertext, validate the ciphertext with an HMAC or similar integrity check prior to decryption to avoid Padding Oracle vulnerabilities.
Server logs in ColdFusion are a must-have resource to help you tune, monitor, and troubleshoot your servers.
From: Chris Tierney
Server logs in ColdFusion are a must-have resource to help you tune, monitor, and troubleshoot your servers.
From: Chris Tierney
Server logs in ColdFusion are a must-have resource to help you tune, monitor, and troubleshoot your servers.
From: Chris Tierney
I have recently replaced an older Cisco ASA 5550 with a FortiGate 80F.
From: Chris Tierney
I have recently replaced an older Cisco ASA 5550 with a FortiGate 80F.
From: Chris Tierney
I have recently replaced an older Cisco ASA 5550 with a FortiGate 80F.
From: Chris Tierney
This is the first of what may be a couple of posts about my presentation from ColdFusion Summit East 2023, which was held in April in Washington, DC.
This is the first of what may be a couple of posts about my presentation from ColdFusion Summit East 2023, which was held in April in Washington, DC.
This is the first of what may be a couple of posts about my presentation from ColdFusion Summit East 2023, which was held in April in Washington, DC.
These days when creating an EC2 instance in the AWS console UI, by default, the tags are duplicated across Elastic Block Service (EBS) and Elastic Network Interface (ENI) attached resources being created.
From: Chris Tierney
These days when creating an EC2 instance in the AWS console UI, by default, the tags are duplicated across Elastic Block Service (EBS) and Elastic Network Interface (ENI) attached resources being created.
From: Chris Tierney
These days when creating an EC2 instance in the AWS console UI, by default, the tags are duplicated across Elastic Block Service (EBS) and Elastic Network Interface (ENI) attached resources being created.
From: Chris Tierney
I spoke at ColdFusion Summit East 2023 last week.