Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

CFMAIL not secure if it uses your email and password

Posted on 2006-07-14
6
Medium Priority
?
242 Views
Last Modified: 2013-12-24
The way that ColdFusionMX is configured for CFMAIL, you have to embed your email and password into a processing page.  This doesn't seem very secure to me..

The processing page looks like this:

<CFMAIL
   server="mail.YourDomain.com"
   username=”AnyEmail@YourDomain.com”
   password=”YourEmailPassword”      
   from="AnyEmail@YourDomain"
   to="AnyEmail@AnyDomain.com"
   subject="Any Subject">

   This is the body of the message.

</CFMAIL>


Anyone have any other ideas?
0
Comment
Question by:ServalStudios
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 13

Expert Comment

by:usachrisk1983
ID: 17110903
Sure, keep it in CFADMIN instead:

"Specify the server for sending SMTP mail messages. You can specify an Internet address (for example, mail.company.com) or the IP address of the mail server (for example, 127.0.0.1). If your mail server requires authentication, you can specify a user name and password in the format user:password@mail.company.com."

0
 
LVL 1

Author Comment

by:ServalStudios
ID: 17111562
What is CFADMIN?  Is that something you set on the server? I can't do that with shared hosting.
0
 
LVL 13

Expert Comment

by:usachrisk1983
ID: 17111693
Username and Password are optional and based on the outgoing mail server (are you sure yours needs it?)

The simplist solution would be if your host setup an outgoing mail server for you.  You can test this by just doing:

<cfmail from="youremail@yourhost.com" to="youremail@yourhost.com" subject="test">Hello!</cfmail>

If it works, your host is taking care of SMTP.  If they didn't setup an SMTP server for you to use, then yes, you'll have to provide one in your CFMAIL tag, along with a username and password.

While there are a variety of ways you can get this to the tag, I wouldn't say any are more secure than what you're using now.  For example, you could store them as variables in a different file, but if a user can get to the file that has the CFMAIL tag, they could probably find the other file.

Another solution might be to store these in a file outside of your webroot, CFFILE Read it and get the information, store them in variables, and then put them in CFMAIL, but again, it's only as secure as your host is.  

In the end, it's probably just as secure to keep it in your CFM file as it is in any other file.
0
Simplify Your Workload with One Tool

How do you combat today’s intelligent hacker while managing multiple domains and platforms? By simplifying your workload with one tool. With Lunarpages hosting through Plesk Onyx, you can:

Automate SSL generation and installation with two clicks
Experience total server control

 
LVL 1

Author Comment

by:ServalStudios
ID: 17111758
My hosting company does require the username and password.  What I ended up doing is making a little database with the email and password in it.  I ended up using the CFMAIL form to query the database for the username and password.  It seems like the mail is taking a longer time to reach me when it is submitted, but it seems to be working.  Maybe there is a cleaner way to write this form? Do you think this would be secure? I tried querying the mailform page, and didn't get an error page with my email or password in it.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<cfquery name="validate" datasource="mydata">
SELECT * from mytable
WHERE id= '1'
</cfquery>

<cfif isValid("email", form.email)>

<CFOUTPUT query="validate">
<cfmail
server="mail.mydomain.org"
username="#validemail#"
password="#password#"
from="#form.email#"
to="test@mydomain.org"
subject="Visitation Response"
type="html"
>
    #form.Name# <br>
    #form.Comments# <br>
    <br>
    #form.Location# <br>
  </cfmail>
 
  <cflocation url="https://mydomain.com/thankyou.html">
 </cfoutput>
<cfelse>
<H2>You must supply a valid email address.</H2>
</cfif>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<meta name="robots" content="noindex,nofollow">
</head>
0
 
LVL 13

Accepted Solution

by:
usachrisk1983 earned 1000 total points
ID: 17111819
While it may work, it's probably overkill.  Although you may argue that nothing is overkill for security :)  If you're going to go this route, I wouldn't wrap the CFMAIL inside the CFOUTPUT, do it like so:

<cfquery name="validate" datasource="mydata">
SELECT * from mytable
WHERE id= '1'
</cfquery>

<cfif isValid("email", form.email)>

<cfmail
server="mail.mydomain.org"
username="#validate.validemail#"
password="#validate.password#"
from="#form.email#"
to="test@mydomain.org"
subject="Visitation Response"
type="html"
>
    #form.Name# <br>
    #form.Comments# <br>
    <br>
    #form.Location# <br>
  </cfmail>
 
  <cflocation url="https://mydomain.com/thankyou.html">
<cfelse>
<H2>You must supply a valid email address.</H2>
</cfif>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<meta name="robots" content="noindex,nofollow">
</head>
0
 
LVL 1

Author Comment

by:ServalStudios
ID: 17111878
Ah.. I thought you had to have a CFOUTPUT to get the info.. This is much better.. Thanks
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: kevp75
Hey folks, 'bout time for me to come around with a little tip. Thanks to IIS 7.5 Extensions and Microsoft (well... really Windows 8, and IIS 8 I guess...), we can now prime our Application Pools, when IIS starts. Now, though it would be nice t…
When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question