| Data Grids CF Overflow Follow Us! RSS |
ColdFusion Posts Around the World.
Defending Against CVE-2024-20767 (ColdFusion Arbitrary File System Read)
Hoya Haxa: A Security Research Blog
Technical details for CVE-2024-20767 (ColdFusion Arbitrary File System Read) from APSB24-14 have now been publicly disclosed by the researcher who reported it to Adobe PSIRT:
If You're Running an Intranet Connections Lucee Instance, Ensure That You've Change the Default Lucee Admin Password
Hoya Haxa: A Security Research Blog
Last week, researchers at Sprocket Security wrote about post-exploitation in Lucee via malicious extensions. It's worth a read to understand what an attacker cou...
One Reason Why Your ColdFusion Server May Still Be Vulnerable Even With the Latest Security Updates Installed
Hoya Haxa: A Security Research Blog
What Does ColdFusion's verifyClient() Do?
Hoya Haxa: A Security Research Blog
I recently saw a ColdFusion question about verifyClient and remote CFC functions. I already have strong opinions about why you don't want to use
Thinking Defensively about Three Recent Lucee Vulnerabilities
Hoya Haxa: A Security Research Blog
Last week, Harsh Jaiswal and Rahul Maini from ProjectDiscovery released some impressive security research on multiple vulnerabilities in Lucee (and Mura CMS and Masa CMS).
A Christmas Post: Beer and Bounties
Hoya Haxa: A Security Research Blog
Christmas came early this year in Potrero Hill and it was sad news for craft beer drinkers. Anchor Brewing released their 47th (and likely final) Christmas Ale in July, with a California-only distribution, as a result of their
Critical Variable Mass Assignment Vulnerability in Adobe ColdFusion (CVE-2023-44350)
Hoya Haxa: A Security Research Blog
New Blog Domain - www.hoyahaxa.com
Hoya Haxa: A Security Research Blog
I recently moved my blog over to a custom domain -- https://www.hoyahaxa.com/. Old links for hoyahaxa.blogspot.com will continue work and redirect to the new domain. I originally started this blog as a place to share my research about
Technical Details for CVE-2023-29301: Adobe ColdFusion Access Control Bypass for a CFAdmin Authentication Component
Hoya Haxa: A Security Research Blog
Background
ColdFusion, Connectors, and CFAdmin Security (for more than just ColdFusion 2023 Update 5 and ColdFusion 2021 Update 11)
Hoya Haxa: A Security Research Blog
Introduction
Exploiting CVE-2017-11286 Six Years Later: XXE in ColdFusion via WDDX Packet
Hoya Haxa: A Security Research Blog
Introduction��������Six years ago today, on September 12, 2017, Adobe released
Stupid Unix Tricks - Using $IFS in Web Application Command Injection Vulnerabilities for Full RCE
Hoya Haxa: A Security Research Blog
Awhile ago I was testing a web application and found a command injection vulnerability. The payload could be sent via an email address field, so something like:{7*7}@foo.comreturned:
Exploiting CVE-2017-11286 Six Years Later: XXE in ColdFusion via WDDX Packet
Hoya Haxa: A Security Research Blog
Introduction��������Six years ago today, on September 12, 2017, Adobe released
On ColdFusion, XXE, and other XML Attacks
Hoya Haxa: A Security Research Blog
An IntroductionThis is the first of what may become a few blog posts based on my CFSummit 2022 talk. Plus with the release of Adobe Security Bulletin
Technical Details for CVE-2023-29301: Adobe ColdFusion Access Control Bypass for a CFAdmin Authentication Component
Hoya Haxa: A Security Research Blog
Background
On ColdFusion, AES, and Padding Oracle Attacks: Hic Sunt Dracones
Hoya Haxa: A Security Research Blog
TL; DR: If you use AES-CBC (or another block cipher operating in CBC mode) to decrypt user-controlled ciphertext, validate the ciphertext with an HMAC or similar integrity check prior to decryption to avoid Padding Oracle vulnerabilities. All user-contr...
On ColdFusion, AES, and Padding Oracle Attacks: Hic Sunt Dracones
Hoya Haxa: A Security Research Blog
TL; DR: If you use AES-CBC (or another block cipher operating in CBC mode) to decrypt user-controlled ciphertext, validate the ciphertext with an HMAC or similar integrity check prior to decryption to avoid Padding Oracle vulnerabilities. All user-contr...
On ColdFusion, XXE, and other XML Attacks
Hoya Haxa: A Security Research Blog
Skip the intro and jump right to how to secure things...An IntroductionThis is the first of what may become a few blog posts based on my
SSRF in ColdFusion/CFML Tags and Functions
Hoya Haxa: A Security Research Blog
TL;DR: Several ColdFusion/CFML tags and functions can process URLs as file path arguments -- including some tags and and functions that you might not expect. This can lead to Server-Side Request Forgery (SSRF) vulnerabilities in your code. Developers should be sure to vali...
Second post - a blog introduction
Hoya Haxa: A Security Research Blog
A new security blog. In 2021. Um...yeah. I've been working in information security for the past 20+ years. These days, most of my focus is on application security, penetration testing, red teaming, and offense — although I have plenty of slowly-aging experience in incident...
Stupid Unix Tricks - Escaping a Restricted Shell
Hoya Haxa: A Security Research Blog
Welcome to the first post of what may become a series - Stupid Unix Tricks.I love stupid Unix tricks. Even better if they can be used for something security-related. This remains one of my favorite security advi...
Bygone Vulnerabilities - Remote Code Execution in Oracle Reports 10g/11g
Hoya Haxa: A Security Research Blog
Looking back at old vulnerabilities can be both fun and useful. Part history, part nostalgia, and still a healthy dose of understanding the technical innerworkings of some software or system. I'm sure that George Santayana would agree. I had planned to go into deta...
Stupid Unix Tricks - Using $IFS in Web Application Command Injection Vulnerabilities for Full RCE
Hoya Haxa: A Security Research Blog
Awhile ago I was testing a web application and found a command injection vulnerability. The payload could be sent via an email address field, so something like:{7*7}@foo.comreturned:
Bygone Vulnerabilities - Remote Code Execution in Oracle Reports 10g/11g
Hoya Haxa: A Security Research Blog
Looking back at old vulnerabilities can be both fun and useful. Part history, part nostalgia, and still a healthy dose of understanding the technical innerworkings of some software or system. I'm sure that George Santayana would agree. I had planned to go into deta...
Stupid Unix Tricks - Escaping a Restricted Shell
Hoya Haxa: A Security Research Blog
Welcome to the first post of what may become a series - Stupid Unix Tricks.I love stupid Unix tricks. Even better if they can be used for something security-related. This remains one of my favorite security advi...
Second post - a blog introduction
Hoya Haxa: A Security Research Blog
A new security blog. In 2021. Um...yeah. I've been working in information security for the past 20+ years. These days, most of my focus is on application security, penetration testing, red teaming, and offense — although I have plenty of slowly-aging experience in incident...
Two One-liners for Quick ColdFusion Static Analysis Security Testing
Hoya Haxa: A Security Research Blog
I want to find all of the security bugs. I'm sure you do too. (Click here to skip all the background info and just jump to the two one-liners.)
Bygone Vulnerabilities - Remote Code Execution in IBM Lotus SameTime Clients (CVE-2013-0553)
Hoya Haxa: A Security Research Blog
IntroductionIt's time to dive into another old vulnerability. Let's go back to 2013. Argo lit up the silver screen. The dulcet sounds of Daft Punk filled the air. And the kids would tick-tock away the hours online in six-second blocks watching
Slides from ColdFusion Summit 2022 - "Below the Surface: Web Vulnerabilities Hiding in your Applications"
Hoya Haxa: A Security Research Blog
Slides from ColdFusion Summit 2022 - "Below the Surface: Web Vulnerabilities Hiding in your Applications"
Hoya Haxa: A Security Research Blog
Bygone Vulnerabilities - Remote Code Execution in IBM Lotus SameTime Clients (CVE-2013-0553)
Hoya Haxa: A Security Research Blog
IntroductionIt's time to dive into another old vulnerability. Let's go back to 2013. Argo lit up the silver screen. The dulcet sounds of Daft Punk filled the air. And the kids would tick-tock away the hours online in six-second blocks watching
Two One-liners for Quick ColdFusion Static Analysis Security Testing
Hoya Haxa: A Security Research Blog
I want to find all of the security bugs. I'm sure you do too. (Click here to skip all the background info and just jump to the two one-liners.)
Authentication Bypass Vulnerability in Mura CMS and Masa CMS (CVE-2022-47003 and CVE-2022-47002)
Hoya Haxa: A Security Research Blog
Authentication Bypass Vulnerability in Mura CMS and Masa CMS (CVE-2022-47003 and CVE-2022-47002)
Hoya Haxa: A Security Research Blog
Preliminary Security Advisory - Authentication Bypass Vulnerability in Mura CMS and Masa CMS (CVE-2022-47003 and CVE-2022-47002)
Hoya Haxa: A Security Research Blog
Update March 6, 2023 - the full security advisory has been posted here: https://hoyahaxa.blogspot.com/2023/03/authentication-bypass-mura-masa.html
Preliminary Security Advisory - Authentication Bypass Vulnerability in Mura CMS and Masa CMS (CVE-2022-47003 and CVE-2022-47002)
Hoya Haxa: A Security Research Blog
Update March 6, 2023 - the full security advisory has been posted here: https://hoyahaxa.blogspot.com/2023/03/authentication-bypass-mura-masa.html
Slides from ColdFusion Summit East 2023 - "Codes, Ciphers, and ColdFusion: What They Don't Want You To Know"
Hoya Haxa: A Security Research Blog
Slides from ColdFusion Summit East 2023 - "Codes, Ciphers, and ColdFusion: What They Don't Want You To Know"
Hoya Haxa: A Security Research Blog
Why You Don't Want To Use CFMX_COMPAT Encryption
Hoya Haxa: A Security Research Blog
This is the first of what may be a couple of posts about my presentation from ColdFusion Summit East 2023, which was held in April in Washington, DC.Let's talk about ColdFusion ...
