Announcing CF update released Jul 14 2023: a second priority 1 security update in one week
For more on the update, and some additional thoughts, read on.
For more on the update, and some additional thoughts, read on.
Presenting "Debugging & Error Handling in ColdFusion" today, online for CF DevWeek
Announcing ColdFusion updates released May 13 2025: p1 security update (and more)
Presenting "Solving Common Problems with CF Updates" today, online
Announcing Java updates of Apr 15, 2025 for 8, 11, 17, 21, and 24: thoughts and resources
Announcing ColdFusion updates released May 13 2025: p1 security update (and more)
Charlie Arehart said:
I can now confirm that the path specification in the pathfilter.json file is indeed case-sensitive.
...
[more]
Announcing ColdFusion updates released May 13 2025: p1 security update (and more)
Charlie Arehart said:
I hear you that you need to "move on". I offered help as it seemed you sought it. Maybe yo
...
[more]
Announcing ColdFusion updates released May 13 2025: p1 security update (and more)
Paul said:
Charlie, the path was exactly as I posted above, a single path, no separators. No error in the cold
...
[more]
Announcing ColdFusion updates released May 13 2025: p1 security update (and more)
Charlie Arehart said:
Paul, 3 things. And I think we fill get you to a solution in the first one.
1
...
[more]
Announcing ColdFusion updates released May 13 2025: p1 security update (and more)
Paul said:
Charlie, I tried adding the argument -Dcoldfusion.systemprobe.allow ...
to the jvm.co
...
[more]
I will note that while that post indicates that "There is currently no mitigation", that may not be the final/complete answer. Note how it refers to the _cfclient querystring, and notice that in my first post last week (on the Jul 11 CF update), I did point out how my March blog post on the previous CF update discussed ways to BLOCK ALL REQUESTS using that _cfclient querystring. I also elaborate there on what it's about, how one can determine if they may have any legit use of it (most do not), and much more. See https://www.carehart...
As I've said elsewhere, it's just not clear how many of the recently closed vulns DO work based on the _cfclient querystring. That post is about all we have to go on, as I've not seen any others. While those on cf2018 and above can apply these fixes to address what Adobe has found, it's just not clear (for now) what those on cf2016 can or should do, other than block requests with that querystring.