Saturday, December 23, 2023

A Christmas Post: Beer and Bounties

Christmas came early this year in Potrero Hill and it was sad news for craft beer drinkers.  Anchor Brewing released their 47th (and likely final) Christmas Ale in July, with a California-only distribution, as a result of their brewery shutdown announced in the same month.  Anchor's beers have been a perennial favorite of mine -- especially Liberty Ale and the ever-changing Our Very Special Ale to kick off the Christmas season each year.   Some years were hits, some were misses, but I always looked forward to trying each year's release.  It's sad to see the end of Anchor Brewing and I'm happy to have a dwindling few bottles stored in my garage.  

Wednesday, November 15, 2023

Critical Variable Mass Assignment Vulnerability in Adobe ColdFusion (CVE-2023-44350)



Background

Adobe ColdFusion is vulnerable to a Mass Assignment vulnerability that can result in an attacker being able to modify the value of any variable in any scope within the context of remote CFC methods.  A mass assignment vulnerability occurs when application code allows a user to set or modify arbitrary objects or values without verifying that the user is authorized to do so.  Modifying values related to authorization checks, security controls, or other important functions may permit a malicious user to access sensitive data or perform other unexpected actions.  Mass assignment vulnerabilities are not unique to ColdFusion and have affected other languages including ASP.NET, PHP, and Ruby on Rails

Thursday, October 19, 2023

New Blog Domain - www.hoyahaxa.com

I recently moved my blog over to a custom domain -- https://www.hoyahaxa.com/. Old links for hoyahaxa.blogspot.com will continue work and redirect to the new domain.  I originally started this blog as a place to share my research about SSRF and ColdFusion,  with no idea if I'd have the interest and inclination to keep writing.  After more than two years and seventeen posts later, I'm still at it.  I'm happy enough with Blogger as a platform, although Google's indexing and pagerank seems to really disfavor *.blogspot.com sites.  We'll see if that changes with a custom domain.  Thanks for sticking around and reading.


Wednesday, October 18, 2023

ColdFusion, Connectors, and CFAdmin Security (for more than just ColdFusion 2023 Update 5 and ColdFusion 2021 Update 11)

Introduction


This post is about ColdFusion 2023 Update 5 and ColdFusion 2021 Update 11, but it's also about more than just those versions.  Because access to the ColdFusion Administrator (CFAdmin) should be tightly controlled regardless of what version of ColdFusion you're running.  

The release notes for CF2023 U5 and CF2021 U11 mention unspecific "connector-related enhancements," with no details.  It appears that these enhancements include much stricter default access control to CFAdmin resources through the connectors.  The new connectors will block all access to CFAdmin resources, so you'll need direct access to Tomcat (or your alternate Java Application Server) to access CFAdmin.  ColdFusion expert Charlie Arehart and a few others have made comments here and here regarding this new behavior as well.  

Tuesday, September 12, 2023

Exploiting CVE-2017-11286 Six Years Later: XXE in ColdFusion via WDDX Packet

Introduction

🎈🎂🎂🎂🎂🎂🎂🎈Six years ago today, on September 12, 2017, Adobe released APSB17-30.  Among three other vulnerabilities*, it included a patch for CVE-2017-11286 a Critical XML eXternal entities (XXE) bug in ColdFusion.  This vulnerability was found and reported to Adobe by Daniel Lawson of Depth Security.  While digging into some ColdFusion internals recently, I walked back through history and stumbled on this vulnerability, and figured it was interesting enough for a detailed write-up.

Wednesday, August 30, 2023

Technical Details for CVE-2023-29301: Adobe ColdFusion Access Control Bypass for a CFAdmin Authentication Component

Background

In this post I'll be walking though CVE-2023-29301, which is an access control bypass / password brute force vulnerability in Adobe ColdFusion that I reported to Adobe and was fixed on July 11, 2023 in Adobe Product Security Bulletin APSB23-40.  Note that this is an access control bypass and is not an authentication bypass vulnerability.  

Monday, July 3, 2023

On ColdFusion, AES, and Padding Oracle Attacks: Hic Sunt Dracones

TL; DR: If you use AES-CBC (or another block cipher operating in CBC mode) to decrypt user-controlled ciphertext, validate the ciphertext with an HMAC or similar integrity check prior to decryption to avoid Padding Oracle vulnerabilities.  All user-controlled input is untrusted and can be dangerous, even if it is encrypted data.

Friday, May 12, 2023

Why You Don't Want To Use CFMX_COMPAT Encryption

This is the first of what may be a couple of posts about my presentation from ColdFusion Summit East 2023, which was held in April in Washington, DC.

Let's talk about ColdFusion and encryption.  Specifically -- about the CFMX_COMPAT algorithm.  The encrypt() function was introduction in ColdFusion 4 (ca. November 1998), and CFMX_COMPAT was the only algorithm available.  The release of ColdFusion 7 (ca. February 2005) added native support for AES, 3DES, DES, and Blowfish.  But CFMX_COMPAT remains the default algorithm used by the encrypt() function.   

Monday, April 10, 2023

Slides from ColdFusion Summit East 2023 - "Codes, Ciphers, and ColdFusion: What They Don't Want You To Know"

I spoke at ColdFusion Summit East 2023 last week.  I was fortunate to catch some good talks and Springtime in Washington, DC is always a great time to visit.  My talk was on ColdFusion and Encryption -- what to use, what not to use, and how to securely implement encryption into your applications.  I've shared my slides below, and I plan to turn the content into a few forthcoming blog posts.  

Monday, March 6, 2023

Authentication Bypass Vulnerability in Mura CMS and Masa CMS (CVE-2022-47003 and CVE-2022-47002)


Background


Mura CMS is a popular content management system written in ColdFusion/CFML. While it was originally a commercial open source product, it was re-licensed as a closed source application with the release of Mura CMS v10 in 2020.  There are forked open source projects based on the last open source release of Mura CMS, including Masa CMS - which is actively maintained.

Multiple versions of Mura CMS and Masa CMS contain an authentication bypass vulnerability that can allow an unauthenticated attacker to login as any Site Member or System User.

Saturday, January 28, 2023

Preliminary Security Advisory - Authentication Bypass Vulnerability in Mura CMS and Masa CMS (CVE-2022-47003 and CVE-2022-47002)

Update March 6, 2023 - the full security advisory has been posted here: https://hoyahaxa.blogspot.com/2023/03/authentication-bypass-mura-masa.html


This is a preliminary security advisory, and is being shared so that impacted organizations can update and patch as needed.  Additional technical details will be released on March 6, 2023.

Background:

Mura CMS is a popular content management system written in ColdFusion/CFML. While it was originally a commercial open source product, it was re-licensed as a closed source application with the release of Mura CMS v10 in 2020.  There are forked open source projects based on the last open source release of Mura CMS, including Masa CMS - which is actively maintained.

Multiple versions of Mura CMS and Masa CMS contain an authentication bypass vulnerability that can allow an  unauthenticated attacker to login as any Site Member or System User.