Critical Variable Mass Assignment Vulnerability in Adobe ColdFusion (CVE-2023-44350)

Background

Adobe ColdFusion is vulnerable to a Mass Assignment vulnerability that can result in an attacker being able to modify the value of any variable in any scope within the context of remote CFC methods.  A mass assignment vulnerability occurs when application code allows a user to set or modify arbitrary objects or values without verifying that the user is authorized to do so.  Modifying values related to authorization checks, security controls, or other important functions may permit a malicious user to access sensitive data or perform other unexpected actions.  Mass assignment vulnerabilities are not unique to ColdFusion and have affected other languages including ASP.NET, PHP, and Ruby on Rails. 

New Blog Domain - www.hoyahaxa.com

I recently moved my blog over to a custom domain -- https://www.hoyahaxa.com/. Old links for hoyahaxa.blogspot.com will continue work and redirect to the new domain.  I originally started this blog as a place to share my research about SSRF and ColdFusion,  with no idea if I'd have the interest and inclination to keep writing.  After more than two years and seventeen posts later, I'm still at it.  I'm happy enough with Blogger as a platform, although Google's indexing and pagerank seems to really disfavor *.blogspot.com sites.  We'll see if that changes with a custom domain.  Thanks for sticking around and reading.

ColdFusion, Connectors, and CFAdmin Security (for more than just ColdFusion 2023 Update 5 and ColdFusion 2021 Update 11)

Introduction

This post is about ColdFusion 2023 Update 5 and ColdFusion 2021 Update 11, but it's also about more than just those versions.  Because access to the ColdFusion Administrator (CFAdmin) should be tightly controlled regardless of what version of ColdFusion you're running.  

The release notes for CF2023 U5 and CF2021 U11 mention unspecific "connector-related enhancements," with no details.  It appears that these enhancements include much stricter default access control to CFAdmin resources through the connectors.  The new connectors will block all access to CFAdmin resources, so you'll need direct access to Tomcat (or your alternate Java Application Server) to access CFAdmin.  ColdFusion expert Charlie Arehart and a few others have made comments here and here regarding this new behavior as well.  

Exploiting CVE-2017-11286 Six Years Later: XXE in ColdFusion via WDDX Packet

Introduction

🎈🎂🎂🎂🎂🎂🎂🎈Six years ago today, on September 12, 2017, Adobe released APSB17-30.  Among three other vulnerabilities*, it included a patch for CVE-2017-11286 a Critical XML eXternal entities (XXE) bug in ColdFusion.  This vulnerability was found and reported to Adobe by Daniel Lawson of Depth Security.  While digging into some ColdFusion internals recently, I walked back through history and stumbled on this vulnerability, and figured it was interesting enough for a detailed write-up.

Technical Details for CVE-2023-29301: Adobe ColdFusion Access Control Bypass for a CFAdmin Authentication Component

Background

In this post I'll be walking though CVE-2023-29301, which is an access control bypass / password brute force vulnerability in Adobe ColdFusion that I reported to Adobe and was fixed on July 11, 2023 in Adobe Product Security Bulletin APSB23-40.  Note that this is an access control bypass and is not an authentication bypass vulnerability.  

On ColdFusion, AES, and Padding Oracle Attacks: Hic Sunt Dracones

TL; DR: If you use AES-CBC (or another block cipher operating in CBC mode) to decrypt user-controlled ciphertext, validate the ciphertext with an HMAC or similar integrity check prior to decryption to avoid Padding Oracle vulnerabilities.  All user-controlled input is untrusted and can be dangerous, even if it is encrypted data.