ColdFusion Posts Around the World.
ColdFusion Posts Around the World. BSidesLV 2024 Slides - Modern ColdFusion Exploitation and Attack Surface ReductionHoya Haxa: A Security Research BlogThank you to BSidesLV for the opportunity to speak this year. The slides from my talk, Modern ColdFusion Exploitation and Attack Surface Reduction, are now online below. They're pretty similar to myOn ColdFusion Administrator Access Control Bypass TechniquesHoya Haxa: A Security Research BlogIntroductionAccess Control is frequently boring but important. It's one of the core security services defined in the OSI Security Architecture reference model. And it's illustrative of what Erasmus and Franklin (not to mention many doctors, nutr...Summercon 2024 Slides - Modern ColdFusion Exploitation and Attack Surface ReductionHoya Haxa: A Security Research BlogLast Friday it was an absolute honor to talk about ColdFusion security at Summercon. Summercon was the first security conference I attended and it remains my favorite after many years, as BlackHat has gotten enormous and other cons ha...Defending Against CVE-2024-20767 (ColdFusion Arbitrary File System Read)Hoya Haxa: A Security Research BlogTechnical details for CVE-2024-20767 (ColdFusion Arbitrary File System Read) from APSB24-14 have now been publicly disclosed by the researcher who reported it to Adobe PSIRT:If You're Running an Intranet Connections Lucee Instance, Ensure That You've Change the Default Lucee Admin PasswordHoya Haxa: A Security Research BlogLast week, researchers at Sprocket Security wrote about post-exploitation in Lucee via malicious extensions. It's worth a read to understand what an attacker cou...One Reason Why Your ColdFusion Server May Still Be Vulnerable Even With the Latest Security Updates InstalledHoya Haxa: A Security Research BlogWhat Does ColdFusion's verifyClient() Do?Hoya Haxa: A Security Research BlogI recently saw a ColdFusion question about verifyClient and remote CFC functions. I already have strong opinions about why you don't want to useThinking Defensively about Three Recent Lucee VulnerabilitiesHoya Haxa: A Security Research BlogLast week, Harsh Jaiswal and Rahul Maini from ProjectDiscovery released some impressive security research on multiple vulnerabilities in Lucee (and Mura CMS and Masa CMS).A Christmas Post: Beer and BountiesHoya Haxa: A Security Research BlogChristmas came early this year in Potrero Hill and it was sad news for craft beer drinkers. Anchor Brewing released their 47th (and likely final) Christmas Ale in July, with a California-only distribution, as a result of theirCritical Variable Mass Assignment Vulnerability in Adobe ColdFusion (CVE-2023-44350)Hoya Haxa: A Security Research BlogNew Blog Domain - www.hoyahaxa.comHoya Haxa: A Security Research BlogI recently moved my blog over to a custom domain -- https://www.hoyahaxa.com/. Old links for hoyahaxa.blogspot.com will continue work and redirect to the new domain. I originally started this blog as a place to share my research aboutTechnical Details for CVE-2023-29301: Adobe ColdFusion Access Control Bypass for a CFAdmin Authentication ComponentHoya Haxa: A Security Research BlogBackgroundColdFusion, Connectors, and CFAdmin Security (for more than just ColdFusion 2023 Update 5 and ColdFusion 2021 Update 11)Hoya Haxa: A Security Research BlogIntroductionExploiting CVE-2017-11286 Six Years Later: XXE in ColdFusion via WDDX PacketHoya Haxa: A Security Research BlogIntroductionSix years ago today, on September 12, 2017, Adobe releasedStupid Unix Tricks - Using $IFS in Web Application Command Injection Vulnerabilities for Full RCEHoya Haxa: A Security Research BlogAwhile ago I was testing a web application and found a command injection vulnerability. The payload could be sent via an email address field, so something like:{7*7}@foo.comreturned:Exploiting CVE-2017-11286 Six Years Later: XXE in ColdFusion via WDDX PacketHoya Haxa: A Security Research BlogIntroductionSix years ago today, on September 12, 2017, Adobe releasedOn ColdFusion, XXE, and other XML AttacksHoya Haxa: A Security Research BlogAn IntroductionThis is the first of what may become a few blog posts based on my CFSummit 2022 talk. Plus with the release of Adobe Security BulletinTechnical Details for CVE-2023-29301: Adobe ColdFusion Access Control Bypass for a CFAdmin Authentication ComponentHoya Haxa: A Security Research BlogBackgroundOn ColdFusion, AES, and Padding Oracle Attacks: Hic Sunt DraconesHoya Haxa: A Security Research BlogTL; DR: If you use AES-CBC (or another block cipher operating in CBC mode) to decrypt user-controlled ciphertext, validate the ciphertext with an HMAC or similar integrity check prior to decryption to avoid Padding Oracle vulnerabilities. All user-contr...On ColdFusion, AES, and Padding Oracle Attacks: Hic Sunt DraconesHoya Haxa: A Security Research BlogTL; DR: If you use AES-CBC (or another block cipher operating in CBC mode) to decrypt user-controlled ciphertext, validate the ciphertext with an HMAC or similar integrity check prior to decryption to avoid Padding Oracle vulnerabilities. All user-contr...On ColdFusion, XXE, and other XML AttacksHoya Haxa: A Security Research BlogSkip the intro and jump right to how to secure things...An IntroductionThis is the first of what may become a few blog posts based on mySSRF in ColdFusion/CFML Tags and FunctionsHoya Haxa: A Security Research BlogTL;DR: Several ColdFusion/CFML tags and functions can process URLs as file path arguments -- including some tags and and functions that you might not expect. This can lead to Server-Side Request Forgery (SSRF) vulnerabilities in your code. Developers should be sure to vali...Second post - a blog introductionHoya Haxa: A Security Research BlogA new security blog. In 2021. Um...yeah. I've been working in information security for the past 20+ years. These days, most of my focus is on application security, penetration testing, red teaming, and offense — although I have plenty of slowly-aging experience in incident...Stupid Unix Tricks - Escaping a Restricted ShellHoya Haxa: A Security Research BlogWelcome to the first post of what may become a series - Stupid Unix Tricks.I love stupid Unix tricks. Even better if they can be used for something security-related. This remains one of my favorite security advi...Bygone Vulnerabilities - Remote Code Execution in Oracle Reports 10g/11gHoya Haxa: A Security Research BlogLooking back at old vulnerabilities can be both fun and useful. Part history, part nostalgia, and still a healthy dose of understanding the technical innerworkings of some software or system. I'm sure that George Santayana would agree. I had planned to go into deta...Stupid Unix Tricks - Using $IFS in Web Application Command Injection Vulnerabilities for Full RCEHoya Haxa: A Security Research BlogAwhile ago I was testing a web application and found a command injection vulnerability. The payload could be sent via an email address field, so something like:{7*7}@foo.comreturned:Stupid Unix Tricks - Escaping a Restricted ShellHoya Haxa: A Security Research BlogWelcome to the first post of what may become a series - Stupid Unix Tricks.I love stupid Unix tricks. Even better if they can be used for something security-related. This remains one of my favorite security advi...Second post - a blog introductionHoya Haxa: A Security Research BlogA new security blog. In 2021. Um...yeah. I've been working in information security for the past 20+ years. These days, most of my focus is on application security, penetration testing, red teaming, and offense — although I have plenty of slowly-aging experience in incident...Bygone Vulnerabilities - Remote Code Execution in Oracle Reports 10g/11gHoya Haxa: A Security Research BlogLooking back at old vulnerabilities can be both fun and useful. Part history, part nostalgia, and still a healthy dose of understanding the technical innerworkings of some software or system. I'm sure that George Santayana would agree. I had planned to go into deta...Two One-liners for Quick ColdFusion Static Analysis Security TestingHoya Haxa: A Security Research BlogI want to find all of the security bugs. I'm sure you do too. (Click here to skip all the background info and just jump to the two one-liners.)Slides from ColdFusion Summit 2022 - "Below the Surface: Web Vulnerabilities Hiding in your Applications"Hoya Haxa: A Security Research BlogBygone Vulnerabilities - Remote Code Execution in IBM Lotus SameTime Clients (CVE-2013-0553)Hoya Haxa: A Security Research BlogIntroductionIt's time to dive into another old vulnerability. Let's go back to 2013. Argo lit up the silver screen. The dulcet sounds of Daft Punk filled the air. And the kids would tick-tock away the hours online in six-second blocks watchingTwo One-liners for Quick ColdFusion Static Analysis Security TestingHoya Haxa: A Security Research BlogI want to find all of the security bugs. I'm sure you do too. (Click here to skip all the background info and just jump to the two one-liners.)Bygone Vulnerabilities - Remote Code Execution in IBM Lotus SameTime Clients (CVE-2013-0553)Hoya Haxa: A Security Research BlogIntroductionIt's time to dive into another old vulnerability. Let's go back to 2013. Argo lit up the silver screen. The dulcet sounds of Daft Punk filled the air. And the kids would tick-tock away the hours online in six-second blocks watchingSlides from ColdFusion Summit 2022 - "Below the Surface: Web Vulnerabilities Hiding in your Applications"Hoya Haxa: A Security Research BlogAuthentication Bypass Vulnerability in Mura CMS and Masa CMS (CVE-2022-47003 and CVE-2022-47002)Hoya Haxa: A Security Research BlogAuthentication Bypass Vulnerability in Mura CMS and Masa CMS (CVE-2022-47003 and CVE-2022-47002)Hoya Haxa: A Security Research BlogPreliminary Security Advisory - Authentication Bypass Vulnerability in Mura CMS and Masa CMS (CVE-2022-47003 and CVE-2022-47002)Hoya Haxa: A Security Research BlogUpdate March 6, 2023 - the full security advisory has been posted here: https://hoyahaxa.blogspot.com/2023/03/authentication-bypass-mura-masa.htmlPreliminary Security Advisory - Authentication Bypass Vulnerability in Mura CMS and Masa CMS (CVE-2022-47003 and CVE-2022-47002)Hoya Haxa: A Security Research BlogUpdate March 6, 2023 - the full security advisory has been posted here: https://hoyahaxa.blogspot.com/2023/03/authentication-bypass-mura-masa.htmlSlides from ColdFusion Summit East 2023 - "Codes, Ciphers, and ColdFusion: What They Don't Want You To Know"Hoya Haxa: A Security Research BlogSlides from ColdFusion Summit East 2023 - "Codes, Ciphers, and ColdFusion: What They Don't Want You To Know"Hoya Haxa: A Security Research BlogWhy You Don't Want To Use CFMX_COMPAT EncryptionHoya Haxa: A Security Research BlogThis is the first of what may be a couple of posts about my presentation from ColdFusion Summit East 2023, which was held in April in Washington, DC.Let's talk about ColdFusion ...Why You Don't Want To Use CFMX_COMPAT EncryptionHoya Haxa: A Security Research BlogThis is the first of what may be a couple of posts about my presentation from ColdFusion Summit East 2023, which was held in April in Washington, DC.Let's talk about ColdFusion ... |