Thursday, August 8, 2024

BSidesLV 2024 Slides - Modern ColdFusion Exploitation and Attack Surface Reduction

Thank you to BSidesLV for the opportunity to speak this year.  The slides from my talk,  Modern ColdFusion Exploitation and Attack Surface ...
Wednesday, July 24, 2024

On ColdFusion Administrator Access Control Bypass Techniques

Introduction Access Control is frequently boring but important.  It's one of the core security services defined in the OSI Security Arch...
1 comment:
Monday, July 22, 2024

Summercon 2024 Slides - Modern ColdFusion Exploitation and Attack Surface Reduction

Last Friday it was an absolute honor to talk about ColdFusion security at Summercon .  Summercon was the first security conference I attende...
Wednesday, March 27, 2024

Bypassing Imperva SecureSphere WAF (CVE-2023-50969)

Background  Imperva SecureSphere Web Application Firewall (WAF) is an on-premise security solution to inspect, monitor and block traffic to ...
Monday, March 25, 2024

Defending Against CVE-2024-20767 (ColdFusion Arbitrary File System Read)

Technical details for CVE-2024-20767 (ColdFusion Arbitrary File System Read) from APSB24-14 have now been publicly disclosed by the researc...
Thursday, March 21, 2024

If You're Running an Intranet Connections Lucee Instance, Ensure That You've Change the Default Lucee Admin Password

Last week, researchers at Sprocket Security wrote about  post-exploitation in Lucee via malicious extensions .  It's worth a read to und...
Tuesday, March 5, 2024

One Reason Why Your ColdFusion Server May Still Be Vulnerable Even With the Latest Security Updates Installed

Next Tuesday is Adobe Patch Tuesday.  Will there be new ColdFusion security updates?  I have no idea.  But even if there are no new patches ...
Tuesday, February 27, 2024

What Does ColdFusion's verifyClient() Do?

I recently saw a ColdFusion question about verifyClient and remote CFC functions.  I already have strong opinions about why you don't w...
1 comment: