Thursday, October 19, 2023

New Blog Domain -

I recently moved my blog over to a custom domain -- Old links for will continue work and redirect to the new domain.  I originally started this blog as a place to share my research about SSRF and ColdFusion,  with no idea if I'd have the interest and inclination to keep writing.  After more than two years and seventeen posts later, I'm still at it.  I'm happy enough with Blogger as a platform, although Google's indexing and pagerank seems to really disfavor * sites.  We'll see if that changes with a custom domain.  Thanks for sticking around and reading.

Wednesday, October 18, 2023

ColdFusion, Connectors, and CFAdmin Security (for more than just ColdFusion 2023 Update 5 and ColdFusion 2021 Update 11)


This post is about ColdFusion 2023 Update 5 and ColdFusion 2021 Update 11, but it's also about more than just those versions.  Because access to the ColdFusion Administrator (CFAdmin) should be tightly controlled regardless of what version of ColdFusion you're running.  

The release notes for CF2023 U5 and CF2021 U11 mention unspecific "connector-related enhancements," with no details.  It appears that these enhancements include much stricter default access control to CFAdmin resources through the connectors.  The new connectors will block all access to CFAdmin resources, so you'll need direct access to Tomcat (or your alternate Java Application Server) to access CFAdmin.  ColdFusion expert Charlie Arehart and a few others have made comments here and here regarding this new behavior as well.