I'll be giving my ColdFusion for Pentesters talk at SOURCE Boston next week.
Here is the info from the abstract:
"ColdFusion is one of those technologies where organizations are either
ColdFusion shops or they won't touch it on a bet. Similarly, I find
that pentesters have either been exposed to it and have a few tricks to
attack it or not. Aside from common web application issues,
ColdFusion can also be attacked on the network level and many times used
to obtain remote access on the host. This talk will cover what is
ColdFusion, common ColdFusion issues, finding useful ColdFusion URLs,
identifying specific ColdFusion version and components, and verifying if
common vulnerabilities are present in the ColdFusion server you are
targeting. If access to the ColdFusion administrative interface can be
obtained, you can perform post exploitation activities that will
typically yield you remote access to the operating system supporting the
Like the other talks, i'll do the what it is, why you care (?), and some ways to go after it. Hopefully useful/interesting.
Hope to see people there.