Tuesday, September 12, 2023

Exploiting CVE-2017-11286 Six Years Later: XXE in ColdFusion via WDDX Packet


🎈🎂🎂🎂🎂🎂🎂🎈Six years ago today, on September 12, 2017, Adobe released APSB17-30.  Among three other vulnerabilities*, it included a patch for CVE-2017-11286 a Critical XML eXternal entities (XXE) bug in ColdFusion.  This vulnerability was found and reported to Adobe by Daniel Lawson of Depth Security.  While digging into some ColdFusion internals recently, I walked back through history and stumbled on this vulnerability, and figured it was interesting enough for a detailed write-up.