Tuesday, February 27, 2024

What Does ColdFusion's verifyClient() Do?

I recently saw a ColdFusion question about verifyClient and remote CFC functions.  I already have strong opinions about why you don't want to use remote CFC functions, but I was unfamiliar with verifyClient.  That led me to take a look at how it works and I thought it was interesting enough to write about.  

Wednesday, February 21, 2024

Thinking Defensively about Three Recent Lucee Vulnerabilities

Last week, Harsh Jaiswal and Rahul Maini from ProjectDiscovery released some impressive security research on multiple vulnerabilities in Lucee (and Mura CMS and Masa CMS).  Their blog post is a must-read, and I'm not going to rehash their steps from research to discovery to exploitation.  Instead, I'm going to look at these vulnerabilities through a defensive lens.  

Saturday, December 23, 2023

A Christmas Post: Beer and Bounties

Christmas came early this year in Potrero Hill and it was sad news for craft beer drinkers.  Anchor Brewing released their 47th (and likely final) Christmas Ale in July, with a California-only distribution, as a result of their brewery shutdown announced in the same month.  Anchor's beers have been a perennial favorite of mine -- especially Liberty Ale and the ever-changing Our Very Special Ale to kick off the Christmas season each year.   Some years were hits, some were misses, but I always looked forward to trying each year's release.  It's sad to see the end of Anchor Brewing and I'm happy to have a dwindling few bottles stored in my garage.  

Wednesday, November 15, 2023

Critical Variable Mass Assignment Vulnerability in Adobe ColdFusion (CVE-2023-44350)



Background

Adobe ColdFusion is vulnerable to a Mass Assignment vulnerability that can result in an attacker being able to modify the value of any variable in any scope within the context of remote CFC methods.  A mass assignment vulnerability occurs when application code allows a user to set or modify arbitrary objects or values without verifying that the user is authorized to do so.  Modifying values related to authorization checks, security controls, or other important functions may permit a malicious user to access sensitive data or perform other unexpected actions.  Mass assignment vulnerabilities are not unique to ColdFusion and have affected other languages including ASP.NET, PHP, and Ruby on Rails

Thursday, October 19, 2023

New Blog Domain - www.hoyahaxa.com

I recently moved my blog over to a custom domain -- https://www.hoyahaxa.com/. Old links for hoyahaxa.blogspot.com will continue work and redirect to the new domain.  I originally started this blog as a place to share my research about SSRF and ColdFusion,  with no idea if I'd have the interest and inclination to keep writing.  After more than two years and seventeen posts later, I'm still at it.  I'm happy enough with Blogger as a platform, although Google's indexing and pagerank seems to really disfavor *.blogspot.com sites.  We'll see if that changes with a custom domain.  Thanks for sticking around and reading.


Wednesday, October 18, 2023

ColdFusion, Connectors, and CFAdmin Security (for more than just ColdFusion 2023 Update 5 and ColdFusion 2021 Update 11)

Introduction


This post is about ColdFusion 2023 Update 5 and ColdFusion 2021 Update 11, but it's also about more than just those versions.  Because access to the ColdFusion Administrator (CFAdmin) should be tightly controlled regardless of what version of ColdFusion you're running.  

The release notes for CF2023 U5 and CF2021 U11 mention unspecific "connector-related enhancements," with no details.  It appears that these enhancements include much stricter default access control to CFAdmin resources through the connectors.  The new connectors will block all access to CFAdmin resources, so you'll need direct access to Tomcat (or your alternate Java Application Server) to access CFAdmin.  ColdFusion expert Charlie Arehart and a few others have made comments here and here regarding this new behavior as well.