Exploiting CVE-2017-11286 Six Years Later: XXE in ColdFusion via WDDX Packet
Introduction🎈🎂🎂🎂🎂🎂🎂🎈Six years ago today, on September 12, 2017, Adobe released APSB17-30.
9/12/23, 3:30 AM
Coldfusion
Technical Details for CVE-2023-29301: Adobe ColdFusion Access Control Bypass for a CFAdmin Authentication Component
BackgroundIn this post I'll be walking though CVE-2023-29301, which is an access control bypass / password brute force vulnerability in Adobe ColdFusion that I reported to Adobe and was fixed on July 11, 2023 in Adobe Product Security Bulletin APSB23-40.
8/30/23, 9:09 AM
Coldfusion
Technical Details for CVE-2023-29301: Adobe ColdFusion Access Control Bypass for a CFAdmin Authentication Component
BackgroundIn this post I'll be walking though CVE-2023-29301, which is an access control bypass / password brute force vulnerability in Adobe ColdFusion that I reported to Adobe and was fixed on July 11, 2023 in Adobe Product Security Bulletin APSB23-40.
8/30/23, 9:09 AM
Coldfusion
Technical Details for CVE-2023-29301: Adobe ColdFusion Access Control Bypass for a CFAdmin Authentication Component
BackgroundIn this post I'll be walking though CVE-2023-29301, which is an access control bypass / password brute force vulnerability in Adobe ColdFusion that I reported to Adobe and was fixed on July 11, 2023 in Adobe Product Security Bulletin APSB23-40.
8/30/23, 9:09 AM
Coldfusion
cfscript cf*() functions are Custom Tags
I found an interesting discussion between the community and Adobe today regarding early cfscript functionality for tags.
From: Chris Tierney
7/24/23, 2:31 PM
Coldfusion
cfscript cf*() functions are Custom Tags
I found an interesting discussion between the community and Adobe today regarding early cfscript functionality for tags.
From: Chris Tierney
7/24/23, 2:31 PM
Coldfusion
cfscript cf*() functions are Custom Tags
I found an interesting discussion between the community and Adobe today regarding early cfscript functionality for tags.
From: Chris Tierney
7/24/23, 2:31 PM
Coldfusion
Simpler Bootstrap accordions
Vertically collapsing accordion UI components are simple to implement these days using native HTML.
From: cfSimplicity
7/14/23, 11:34 AM
Coldfusion
Simpler Bootstrap accordions
Vertically collapsing accordion UI components are simple to implement these days using native HTML.
From: cfSimplicity
7/14/23, 11:34 AM
Coldfusion
Simpler Bootstrap accordions
Vertically collapsing accordion UI components are simple to implement these days using native HTML.
From: cfSimplicity
7/14/23, 11:34 AM
Coldfusion
On ColdFusion, AES, and Padding Oracle Attacks: Hic Sunt Dracones
TL; DR: If you use AES-CBC (or another block cipher operating in CBC mode) to decrypt user-controlled ciphertext, validate the ciphertext with an HMAC or similar integrity check prior to decryption to avoid Padding Oracle vulnerabilities.
7/3/23, 10:20 PM
Coldfusion
On ColdFusion, AES, and Padding Oracle Attacks: Hic Sunt Dracones
TL; DR: If you use AES-CBC (or another block cipher operating in CBC mode) to decrypt user-controlled ciphertext, validate the ciphertext with an HMAC or similar integrity check prior to decryption to avoid Padding Oracle vulnerabilities.
7/3/23, 10:20 PM
Coldfusion
On ColdFusion, AES, and Padding Oracle Attacks: Hic Sunt Dracones
TL; DR: If you use AES-CBC (or another block cipher operating in CBC mode) to decrypt user-controlled ciphertext, validate the ciphertext with an HMAC or similar integrity check prior to decryption to avoid Padding Oracle vulnerabilities.
7/3/23, 10:20 PM
Coldfusion
Adobe ColdFusion Log Verboseness
Server logs in ColdFusion are a must-have resource to help you tune, monitor, and troubleshoot your servers.
From: Chris Tierney
6/27/23, 4:59 PM
Coldfusion
Adobe ColdFusion Log Verboseness
Server logs in ColdFusion are a must-have resource to help you tune, monitor, and troubleshoot your servers.
From: Chris Tierney
6/27/23, 4:59 PM
Coldfusion
Adobe ColdFusion Log Verboseness
Server logs in ColdFusion are a must-have resource to help you tune, monitor, and troubleshoot your servers.
From: Chris Tierney
6/27/23, 4:59 PM
Coldfusion
FortiGate 80F to Unifi Security Gateway Pro 4 IPSec Tunnel Issues
I have recently replaced an older Cisco ASA 5550 with a FortiGate 80F.
From: Chris Tierney
5/25/23, 7:16 PM
Coldfusion
FortiGate 80F to Unifi Security Gateway Pro 4 IPSec Tunnel Issues
I have recently replaced an older Cisco ASA 5550 with a FortiGate 80F.
From: Chris Tierney
5/25/23, 7:16 PM
Coldfusion
FortiGate 80F to Unifi Security Gateway Pro 4 IPSec Tunnel Issues
I have recently replaced an older Cisco ASA 5550 with a FortiGate 80F.
From: Chris Tierney
5/25/23, 7:16 PM
Coldfusion
Why You Don't Want To Use CFMX_COMPAT Encryption
This is the first of what may be a couple of posts about my presentation from ColdFusion Summit East 2023, which was held in April in Washington, DC.
5/12/23, 10:54 PM
Coldfusion
Why You Don't Want To Use CFMX_COMPAT Encryption
This is the first of what may be a couple of posts about my presentation from ColdFusion Summit East 2023, which was held in April in Washington, DC.
5/12/23, 10:54 PM
Coldfusion
Why You Don't Want To Use CFMX_COMPAT Encryption
This is the first of what may be a couple of posts about my presentation from ColdFusion Summit East 2023, which was held in April in Washington, DC.
5/12/23, 10:54 PM
Coldfusion
Copying AWS EC2 Tags to EBS Using PowerShell
These days when creating an EC2 instance in the AWS console UI, by default, the tags are duplicated across Elastic Block Service (EBS) and Elastic Network Interface (ENI) attached resources being created.
From: Chris Tierney
4/11/23, 12:17 AM
Coldfusion
Copying AWS EC2 Tags to EBS Using PowerShell
These days when creating an EC2 instance in the AWS console UI, by default, the tags are duplicated across Elastic Block Service (EBS) and Elastic Network Interface (ENI) attached resources being created.
From: Chris Tierney
4/11/23, 12:17 AM
Coldfusion
Copying AWS EC2 Tags to EBS Using PowerShell
These days when creating an EC2 instance in the AWS console UI, by default, the tags are duplicated across Elastic Block Service (EBS) and Elastic Network Interface (ENI) attached resources being created.
From: Chris Tierney
4/11/23, 12:17 AM
Coldfusion
Slides from ColdFusion Summit East 2023 - "Codes, Ciphers, and ColdFusion: What They Don't Want You To Know"
I spoke at ColdFusion Summit East 2023 last week.
4/10/23, 11:21 AM
Coldfusion