Two One-liners for Quick ColdFusion Static Analysis Security Testing

 I want to find all of the security bugs.  I'm sure you do too.  

(Click here to skip all the background info and just jump to the two one-liners.) 

Some security bug classes are easy to find at scale through automated dynamic security scanning.  Maybe you're also doing some manual application penetration testing.  And maybe you can invest the time to perform in-depth manual code review of important portions of an application, such as core libraries and high-value actions.  But a high-impact vulnerability -- such as remote code execution -- in an insignificant, overlooked portion of your codebase can ruin your day.  Automated code review needs to play a part in any software security effort.

Stupid Unix Tricks - Using $IFS in Web Application Command Injection Vulnerabilities for Full RCE

Awhile ago I was testing a web application and found a command injection vulnerability.  The payload could be sent via an email address field, so something like:

{7*7}@foo.com

returned:

User 49@foo.com not found

Bygone Vulnerabilities - Remote Code Execution in Oracle Reports 10g/11g

Looking back at old vulnerabilities can be both fun and useful.  Part history, part nostalgia, and still a healthy dose of understanding the technical innerworkings of some software or system.  I'm sure that George Santayana would agree.  I had planned to go into detail about a bygone vulnerability I found a long time ago in Oracle Reports, but for now this is just a teaser.

Stupid Unix Tricks - Escaping a Restricted Shell

Welcome to the first post of what may become a series - Stupid Unix Tricks.

I love stupid Unix tricks.  Even better if they can be used for something security-related.  This remains one of my favorite security advisories ever.  So it shouldn't be a surprise that I really enjoy security assessments that involve breaking out of a restricted shell.  They're a lot of fun, and restricted shells are extremely hard to get right in terms of security and prevention.  (I feel the same about kiosk escapes too, but that's a topic for another time.)

Second post - a blog introduction

A new security blog. In 2021. Um...yeah. 

I’ve been working in information security for the past 20+ years.  These days, most of my focus is on application security, penetration testing, red teaming, and offense — although I have plenty of slowly-aging experience in incident response, security operations, network/security engineering, UNIX administration, and policy work too. 

SSRF in ColdFusion/CFML Tags and Functions

TL;DR: Several ColdFusion/CFML tags and functions can process URLs as file path arguments -- including some tags and and functions that you might not expect.  This can lead to Server-Side Request Forgery (SSRF) vulnerabilities in your code.  Developers should be sure to validate any user input passed to the affected tags and functions.