ColdFusion Posts Around the World
Hoya Haxa: A Security Research Blog
"Hola, amigos. How's it hangin'? I know it's been a long time since I last rapped at ya, but I've been busier than a feather plucker on nickel wing night, ya know? You old buddy Jimbo found some discarded books out back next to the dumpster at the inconvenience store a...
Hoya Haxa: A Security Research Blog
A ColdFusion security patch released two days before Christmas? I have a feeling that may have resulted in many sysadmins shouting "Fiddlesticks!" (or perhaps another f-word) earlier today. And on that note, may I suggest this
Hoya Haxa: A Security Research Blog
Thank you to BSidesLV for the opportunity to speak this year. The slides from my talk, Modern ColdFusion Exploitation and Attack Surface Reduction, are now online below. They're pretty similar to my
Hoya Haxa: A Security Research Blog
IntroductionAccess Control is frequently boring but important. It's one of the core security services defined in the OSI Security Architecture reference model. And it's illustrative of what Erasmus and Franklin (not to mention many doctors, nutr...
Hoya Haxa: A Security Research Blog
Last Friday it was an absolute honor to talk about ColdFusion security at Summercon. Summercon was the first security conference I attended and it remains my favorite after many years, as BlackHat has gotten enormous and other cons ha...
Hoya Haxa: A Security Research Blog
Hoya Haxa: A Security Research Blog
Technical details for CVE-2024-20767 (ColdFusion Arbitrary File System Read) from APSB24-14 have now been publicly disclosed by the researcher who reported it to Adobe PSIRT:
Hoya Haxa: A Security Research Blog
Last week, researchers at Sprocket Security wrote about post-exploitation in Lucee via malicious extensions. It's worth a read to understand what an attacker cou...
Hoya Haxa: A Security Research Blog
Hoya Haxa: A Security Research Blog
I recently saw a ColdFusion question about verifyClient and remote CFC functions. I already have strong opinions about why you don't want to use
Hoya Haxa: A Security Research Blog
Last week, Harsh Jaiswal and Rahul Maini from ProjectDiscovery released some impressive security research on multiple vulnerabilities in Lucee (and Mura CMS and Masa CMS).
Hoya Haxa: A Security Research Blog
Christmas came early this year in Potrero Hill and it was sad news for craft beer drinkers. Anchor Brewing released their 47th (and likely final) Christmas Ale in July, with a California-only distribution, as a result of their
Hoya Haxa: A Security Research Blog
Hoya Haxa: A Security Research Blog
I recently moved my blog over to a custom domain -- https://www.hoyahaxa.com/. Old links for hoyahaxa.blogspot.com will continue work and redirect to the new domain. I originally started this blog as a place to share my research about
Hoya Haxa: A Security Research Blog
Background
Hoya Haxa: A Security Research Blog
Introduction
Hoya Haxa: A Security Research Blog
Introduction��������Six years ago today, on September 12, 2017, Adobe released
Hoya Haxa: A Security Research Blog
Awhile ago I was testing a web application and found a command injection vulnerability. The payload could be sent via an email address field, so something like:{7*7}@foo.comreturned:
Hoya Haxa: A Security Research Blog
Introduction��������Six years ago today, on September 12, 2017, Adobe released
Hoya Haxa: A Security Research Blog
An IntroductionThis is the first of what may become a few blog posts based on my CFSummit 2022 talk. Plus with the release of Adobe Security Bulletin
Hoya Haxa: A Security Research Blog
Background
Hoya Haxa: A Security Research Blog
TL; DR: If you use AES-CBC (or another block cipher operating in CBC mode) to decrypt user-controlled ciphertext, validate the ciphertext with an HMAC or similar integrity check prior to decryption to avoid Padding Oracle vulnerabilities. All user-contr...
Hoya Haxa: A Security Research Blog
TL; DR: If you use AES-CBC (or another block cipher operating in CBC mode) to decrypt user-controlled ciphertext, validate the ciphertext with an HMAC or similar integrity check prior to decryption to avoid Padding Oracle vulnerabilities. All user-contr...
Hoya Haxa: A Security Research Blog
Skip the intro and jump right to how to secure things...An IntroductionThis is the first of what may become a few blog posts based on my
Hoya Haxa: A Security Research Blog
TL;DR: Several ColdFusion/CFML tags and functions can process URLs as file path arguments -- including some tags and and functions that you might not expect. This can lead to Server-Side Request Forgery (SSRF) vulnerabilities in your code. Developers should be sure to vali...
Hoya Haxa: A Security Research Blog
Looking back at old vulnerabilities can be both fun and useful. Part history, part nostalgia, and still a healthy dose of understanding the technical innerworkings of some software or system. I'm sure that George Santayana would agree. I had planned to go into deta...
Hoya Haxa: A Security Research Blog
Welcome to the first post of what may become a series - Stupid Unix Tricks.I love stupid Unix tricks. Even better if they can be used for something security-related. This remains one of my favorite security advi...
Hoya Haxa: A Security Research Blog
A new security blog. In 2021. Um...yeah. I've been working in information security for the past 20+ years. These days, most of my focus is on application security, penetration testing, red teaming, and offense — although I have plenty of slowly-aging experience in incident...
Hoya Haxa: A Security Research Blog
Welcome to the first post of what may become a series - Stupid Unix Tricks.I love stupid Unix tricks. Even better if they can be used for something security-related. This remains one of my favorite security advi...
Hoya Haxa: A Security Research Blog
A new security blog. In 2021. Um...yeah. I've been working in information security for the past 20+ years. These days, most of my focus is on application security, penetration testing, red teaming, and offense — although I have plenty of slowly-aging experience in incident...
Hoya Haxa: A Security Research Blog
Awhile ago I was testing a web application and found a command injection vulnerability. The payload could be sent via an email address field, so something like:{7*7}@foo.comreturned:
Hoya Haxa: A Security Research Blog
Looking back at old vulnerabilities can be both fun and useful. Part history, part nostalgia, and still a healthy dose of understanding the technical innerworkings of some software or system. I'm sure that George Santayana would agree. I had planned to go into deta...
Hoya Haxa: A Security Research Blog
Hoya Haxa: A Security Research Blog
I want to find all of the security bugs. I'm sure you do too. (Click here to skip all the background info and just jump to the two one-liners.)
Hoya Haxa: A Security Research Blog
I want to find all of the security bugs. I'm sure you do too. (Click here to skip all the background info and just jump to the two one-liners.)
Hoya Haxa: A Security Research Blog
IntroductionIt's time to dive into another old vulnerability. Let's go back to 2013. Argo lit up the silver screen. The dulcet sounds of Daft Punk filled the air. And the kids would tick-tock away the hours online in six-second blocks watching
Hoya Haxa: A Security Research Blog
Hoya Haxa: A Security Research Blog
IntroductionIt's time to dive into another old vulnerability. Let's go back to 2013. Argo lit up the silver screen. The dulcet sounds of Daft Punk filled the air. And the kids would tick-tock away the hours online in six-second blocks watching
Hoya Haxa: A Security Research Blog
Hoya Haxa: A Security Research Blog
Hoya Haxa: A Security Research Blog
Update March 6, 2023 - the full security advisory has been posted here: https://hoyahaxa.blogspot.com/2023/03/authentication-bypass-mura-masa.html
Hoya Haxa: A Security Research Blog
Update March 6, 2023 - the full security advisory has been posted here: https://hoyahaxa.blogspot.com/2023/03/authentication-bypass-mura-masa.html
Hoya Haxa: A Security Research Blog
Hoya Haxa: A Security Research Blog
Hoya Haxa: A Security Research Blog
This is the first of what may be a couple of posts about my presentation from ColdFusion Summit East 2023, which was held in April in Washington, DC.Let's talk about ColdFusion ...
Hoya Haxa: A Security Research Blog
This is the first of what may be a couple of posts about my presentation from ColdFusion Summit East 2023, which was held in April in Washington, DC.Let's talk about ColdFusion ...
|
