Wednesday, July 24, 2024

On ColdFusion Administrator Access Control Bypass Techniques

Introduction

Access Control is frequently boring but important.  It's one of the core security services defined in the OSI Security Architecture reference model.  And it's illustrative of what Erasmus and Franklin (not to mention many doctors, nutritionists, and personal trainers) had to say about preventions versus cures.  An attacker can't exploit what he can't access.

Let's pretend you're a jewel thief who wants to steal a bag of jewels locked securely in a bedroom wall safe.  Before you can get down to the art and science of safecracking, you need to get access to the safe first.  The bedroom and the wall safe are protected areas that any passing jewel thief shouldn't be able to just walk up to and start poking at.  Your path to the wall safe would likely have layered security controls -- a locked front door, motion sensors, lasers, CCTV cameras, dogs, bees, dogs with bees in their mouths and when they bark they shoot bees at you, etc. -- that may deter you or at least make your job more difficult.

Looking at CFAdmin

Think of the ColdFusion Administrator (CFAdmin) -- the web-based interface for configuring and managing your ColdFusion environment -- in the same way as that wall safe.  You want to protect and restrict access to CFAdmin as part of your security baseline.  CFAdmin components are accessible via /CFIDE/ URI paths and expose lots of functionality; most components require authentication (a local username/password, or LDAP as of ColdFusion 2023) to access, although some are accessible without authentication.  So proper access control is crucial.

Monday, July 22, 2024

Summercon 2024 Slides - Modern ColdFusion Exploitation and Attack Surface Reduction

Last Friday it was an absolute honor to talk about ColdFusion security at Summercon.  Summercon was the first security conference I attended and it remains my favorite after many years, as BlackHat has gotten enormous and other cons have run their course.  The slides from my talk Modern ColdFusion Exploitation and Attack Surface Reduction are below.  This talk is the result of several years of thinking about, examining, and researching the attack surface of ColdFusion from both offensive and defensive perspectives.  I'll also be giving the talk again at BSides Las Vegas next month -- with some updated slides, content, and surprises.