Another ColdFusion RCE – CVE-2018-4939

In October 2017 I published an overview and video proof-of-concept of a Java RMI/deserialization vulnerability affecting the Flex Integration service of Adobe ColdFusion. I held off on publishing all of…

Advertisements

POPping WordPress

Fun with PHP deserialization and some accidental WordPress bugs. A few months ago I was putting together a blog post on PHP deserialization vulnerabilities. I decided to look for a…

Attacking Java Deserialization

Deserialization vulnerabilities are far from new, but exploiting them is more involved than other common vulnerability classes. During a recent client engagement I was able to take advantage of Java…