Wednesday, March 27, 2024

Bypassing Imperva SecureSphere WAF (CVE-2023-50969)


Imperva SecureSphere Web Application Firewall (WAF) is an on-premise security solution to inspect, monitor and block traffic to web applications.  Some versions of SecureSphere WAF are affected by a vulnerability that could allow an attacker to bypass WAF rules that inspect POST data and subsequently exploit flaws in protected web applications that would otherwise be blocked.

Monday, March 25, 2024

Defending Against CVE-2024-20767 (ColdFusion Arbitrary File System Read)

Technical details for CVE-2024-20767 (ColdFusion Arbitrary File System Read) from APSB24-14 have now been publicly disclosed by the researcher who reported it to Adobe PSIRT:

It's a great finding with an interesting two-step exploit process that combines obtaining a server UUID value from a CFAdmin API endpoint and then using that UUID to access a PMSGenericServlet module (part of the Performance Monitoring Toolset) that can be abused to read local files.

Thursday, March 21, 2024

If You're Running an Intranet Connections Lucee Instance, Ensure That You've Change the Default Lucee Admin Password

Last week, researchers at Sprocket Security wrote about post-exploitation in Lucee via malicious extensions.  It's worth a read to understand what an attacker could do after compromising a Lucee Admin interface to execute arbitrary code and maintain persistence.  Admin interfaces gonna admin -- especially in the case of unauthorized admin access -- and monitoring for any changes in extensions, scheduled jobs, and other sensitive configuration settings is an important detection strategy.   This is also a good reminder why you want very strict access control for Lucee Admin, or may want to consider disabling it altogether.

Tuesday, March 5, 2024

One Reason Why Your ColdFusion Server May Still Be Vulnerable Even With the Latest Security Updates Installed

Next Tuesday is Adobe Patch Tuesday.  Will there be new ColdFusion security updates?  I have no idea.  But even if there are no new patches released, and your ColdFusion servers already have the latest updates installed, you may still be missing an important step in keeping them secure.

Tuesday, February 27, 2024

What Does ColdFusion's verifyClient() Do?

I recently saw a ColdFusion question about verifyClient and remote CFC functions.  I already have strong opinions about why you don't want to use remote CFC functions, but I was unfamiliar with verifyClient.  That led me to take a look at how it works and I thought it was interesting enough to write about.  

Wednesday, February 21, 2024

Thinking Defensively About Three Recent Lucee Vulnerabilities

Last week, Harsh Jaiswal and Rahul Maini from ProjectDiscovery released some impressive security research on multiple vulnerabilities in Lucee (and Mura CMS and Masa CMS).  Their blog post is a must-read, and I'm not going to rehash their steps from research to discovery to exploitation.  Instead, I'm going to look at these vulnerabilities through a defensive lens.