CF - Help to prevent injection and or hijack of email server

We have found that emails were being sent from our email server.  We were notified that this is the form that was being used.  I did not write this and was wondering if anyone can point out where the code is allowing this to happen.  For example I use query param to prevent SQL injection but i can't see where this code can be improved. I included the script in a txt file.

Any help is appreciated.

Thanks,
John
JohnMac328Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Neil RussellTechnical Development LeadCommented:
No text file here
0
JohnMac328Author Commented:
I will try again - if it does not work I will paste it also

<!--- Initialize variables --->

<cfif isDefined("url.link") and isDefined("url.title")>
	<cfset validLink = "t" />
	<cfelse>
		<cfset validLink = "f" />
</cfif>

<cfset formPosted = "f" />

<!--- check form submission and insert data --->
<cfif isDefined("FORM.send")>
	<cfset typeLC=LCase(#FORM.sharetype#) />
	<!--- build HTML mail body --->
	<cfsavecontent variable="mailBodyHTM">
		<cfoutput>
		<html>
		<body topmargin="0" bottommargin="0" rightmargin="0" leftmargin="0" bgcolor="##ffffff">
		<style>
		body {
		margin:0;
		padding:0;
		font-family:Arial, Helvetica, sans-serif;
		color:##666666;
		font-size:12px;
		line-height:130%;
		}
		a:link, a:visited {
		color:##003161;
		text-decoration:none;
		}
		a:hover {
		color:##336;
		text-decoration:underline;
		}
		h3 {
		margin-top:1em;
		color:##003161;
		}
		</style>
		<table cellpadding="0" cellspacing="0" width="100%" border="0">
		<tr>
		<td valign="top" align="center"><table width="500" border="0" cellspacing="0" cellpadding="0">
		<tr>
		<td style="border-bottom:2px solid ##003161;"><a hreff="URL"><img src="image" alt="" width="454" height="71" border="0" /></a></td>
		</tr>
		<tr>
		<td><h3>Check Out This #FORM.sharetype#:</h3>
		<p>Your friend, #my_email#, thought you may be interested in this #typeLC# from <a href="URL">Company Name</a>:</p>
		<h3><a href="#FORM.url#">#FORM.title#</a></h3>
		<p>For more market insight read our award-winning C.E.O. blog from Boss, <a href="Link"><strong>Article</strong></a>, or our weekly newsletter, the .</p>
		<table cellpadding="0" cellspacing="0" border="0">
		<tr>
		<td><a href="URL" title="Follow us on Facebook"><img src="image" alt="Facebook" width="32" height="32" border="0" /></a>&nbsp;&nbsp;<a href="https://api.twitter.com/" title="Follow us on Twitter"><img src="http://www.company.com/media/eblast-art/EmailShareIcone_TW32.gif" alt="Facebook" width="32" height="32" border="0" /></a>&nbsp;&nbsp;</td>
		<td><p>Follow us on <a href="http://www.facebook.com/company" title="Follow us on Facebook">Facebook</a> or <a href="https://api.twitter.com/company" title="Follow us on Twitter">Twitter</a>.</p></td>
		</tr>
		</table>
		<p>Best Regards,<br />
		Company<br />
		<a href="http://www.company.com"><strong>www.company.com</strong></a></p>
		</td>
		</tr>
		<tr>
		<td style="border-top:2px solid ##003161; font-size:11px; text-align:center;"><p>company&bull; <a href="http://www.company.com">www.company.com</a> &bull; </p></td>
		</tr>
		</table></td>
		</tr>
		</table>
		</body>
		</html>
		</cfoutput>
	</cfsavecontent>
	<cfif FORM.sharetype EQ "Page">
		<cfset shareSubject = "Your Friend Has Shared a Page on company.com" />
		<cfelse>
			<cfset shareSubject = "Your Friend Has Shared an Article on company.com" />
	</cfif>
		
	<cfmail from = "#FORM.my_email#" to = "#FORM.f_email#" subject = "#shareSubject#">
		<cfmailpart type="text" wraptext="74">
			You are reading this message as plain text, because your mail reader
			does not handle HTML text.
		</cfmailpart>
		
		<cfmailpart type="html">
			#mailBodyHTM#
		</cfmailpart>
	</cfmail>

	<cfset formPosted = "t" />
</cfif>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Email to a Friend</title>
<style>
body {
	margin:0;
	padding:0;
	background-color:#ffffff;
	color:#999999;
	font-family:Arial, Helvetica, sans-serif;
}
#share_form {
	padding:8px;
	border:2px solid #003161;
	font-size:11px;
}
form div {
	margin:8px auto;
	padding:0;
	width:200px;
	text-align:left;
}
label {
	display:block;
	margin:0;
	font-size:10px;
	text-transform:uppercase;
	color:#003161;
	text-align:left;
}
input {
	border:2px solid #dfe7ed;
	height:14px;
	line-height:14px;
	color:#666666;
	width:200px;
}
input#send {
	display:block;
	margin:8px auto;
	padding:4px 0;
	width:200px;
	height:auto;
	border:2px solid #003161;
	background-color:#dfe7ed;
	border-radius:8px;
	text-align:center;
	font-weight:bold;
	font-size:12px;
	text-transform:uppercase;
	color:#003161;
}
input#send:hover {
	background-color:#80a1b6;
	color:#ffffff;
}

input#sendDIS {
	display:block;
	margin:8px auto;
	padding:4px 0;
	width:200px;
	height:auto;
	border:2px solid #999999;
	background-color:#CCC;
	border-radius:8px;
	text-align:center;
	font-weight:bold;
	font-size:12px;
	text-transform:uppercase;
	color:#666;
}
</style>

<!-- CF javascript form validation -->
<script type="text/javascript" src="http://www.company.com/scripts/cfform.js"></script>
<script type="text/javascript" src="http://www.company.com/scripts/masks.js"></script>
</head>

<body>
<cfoutput>
<cfif formPosted EQ "t">
	<p align="center"><strong>Thank you for your interest.</strong><br />Your email has been sent.</p>
	<cfelse>
		<cfif validLink EQ "t">
			<!--- check for valid QueryStrings --->
			<cfform name="share_form" id="share_form" method="post" action="http://www.company.com/company/Send.cfm?frm=sent" onsubmit="return _CF_checkform(this)">
			
				<div>
					<label>From:</label>
					<cfinput type="text" name="my_email" id="my_email" value="Your Email" size="25" onFocus="this.value='';" validate="email" required="Yes" message="Error From field: Please enter a valid email address" />
				</div>
				<div>
					<label>To:</label>
					<cfinput type="text" name="f_email" id="f_email" value="Friend's Email" size="25" onFocus="this.value='';" validate="email" required="Yes" message="Error To field: Please enter a valid email address" />
				</div>
					<cfinput type="hidden" name="title" value="#url.title#" />
					<cfinput type="hidden" name="url" value="#url.link#" />
					<cfinput type="hidden" name="sharetype" value="#url.sharetype#" />
					<cfinput type="submit" name="send" value="Send Email" id="send" />
			</cfform>
		<cfelse>
		<!--- if no valid querystrings, do not display form --->
			<center>
			<h2>Invalid Access</h2>
			<p>Please return to <a href="http://www.company.com">company.com</a></p>
			</center>
		</cfif> <!--- end check validLink --->
</cfif>
</cfoutput> <!--- end check formPosted --->
</body>
</html>

Open in new window

0
_agx_Commented:
Looks like it would allow a spammer to send out that email - with spam links instead - using any from/to email addresses they wanted, just by doing a fake http post.
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

JohnMac328Author Commented:
Hi agx - that is exactly what is happening - any way to prevent it?
0
_agx_Commented:
You need to implement something like captcha or form protect to prevent bots or automated submissions. Examples;

http://cfformmail.riaforge.org/
http://www.bennadel.com/blog/929-preventing-spam-bot-form-submissions-with-coldfusion-revisited.htm
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JohnMac328Author Commented:
Thanks agx - i will get started.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ColdFusion Language

From novice to tech pro — start learning today.