?
Solved

CF - Help to prevent injection and or hijack of email server

Posted on 2014-12-11
6
Medium Priority
?
224 Views
Last Modified: 2014-12-11
We have found that emails were being sent from our email server.  We were notified that this is the form that was being used.  I did not write this and was wondering if anyone can point out where the code is allowing this to happen.  For example I use query param to prevent SQL injection but i can't see where this code can be improved. I included the script in a txt file.

Any help is appreciated.

Thanks,
John
0
Comment
Question by:JohnMac328
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40494557
No text file here
0
 

Author Comment

by:JohnMac328
ID: 40494571
I will try again - if it does not work I will paste it also

<!--- Initialize variables --->

<cfif isDefined("url.link") and isDefined("url.title")>
	<cfset validLink = "t" />
	<cfelse>
		<cfset validLink = "f" />
</cfif>

<cfset formPosted = "f" />

<!--- check form submission and insert data --->
<cfif isDefined("FORM.send")>
	<cfset typeLC=LCase(#FORM.sharetype#) />
	<!--- build HTML mail body --->
	<cfsavecontent variable="mailBodyHTM">
		<cfoutput>
		<html>
		<body topmargin="0" bottommargin="0" rightmargin="0" leftmargin="0" bgcolor="##ffffff">
		<style>
		body {
		margin:0;
		padding:0;
		font-family:Arial, Helvetica, sans-serif;
		color:##666666;
		font-size:12px;
		line-height:130%;
		}
		a:link, a:visited {
		color:##003161;
		text-decoration:none;
		}
		a:hover {
		color:##336;
		text-decoration:underline;
		}
		h3 {
		margin-top:1em;
		color:##003161;
		}
		</style>
		<table cellpadding="0" cellspacing="0" width="100%" border="0">
		<tr>
		<td valign="top" align="center"><table width="500" border="0" cellspacing="0" cellpadding="0">
		<tr>
		<td style="border-bottom:2px solid ##003161;"><a hreff="URL"><img src="image" alt="" width="454" height="71" border="0" /></a></td>
		</tr>
		<tr>
		<td><h3>Check Out This #FORM.sharetype#:</h3>
		<p>Your friend, #my_email#, thought you may be interested in this #typeLC# from <a href="URL">Company Name</a>:</p>
		<h3><a href="#FORM.url#">#FORM.title#</a></h3>
		<p>For more market insight read our award-winning C.E.O. blog from Boss, <a href="Link"><strong>Article</strong></a>, or our weekly newsletter, the .</p>
		<table cellpadding="0" cellspacing="0" border="0">
		<tr>
		<td><a href="URL" title="Follow us on Facebook"><img src="image" alt="Facebook" width="32" height="32" border="0" /></a>&nbsp;&nbsp;<a href="https://api.twitter.com/" title="Follow us on Twitter"><img src="http://www.company.com/media/eblast-art/EmailShareIcone_TW32.gif" alt="Facebook" width="32" height="32" border="0" /></a>&nbsp;&nbsp;</td>
		<td><p>Follow us on <a href="http://www.facebook.com/company" title="Follow us on Facebook">Facebook</a> or <a href="https://api.twitter.com/company" title="Follow us on Twitter">Twitter</a>.</p></td>
		</tr>
		</table>
		<p>Best Regards,<br />
		Company<br />
		<a href="http://www.company.com"><strong>www.company.com</strong></a></p>
		</td>
		</tr>
		<tr>
		<td style="border-top:2px solid ##003161; font-size:11px; text-align:center;"><p>company&bull; <a href="http://www.company.com">www.company.com</a> &bull; </p></td>
		</tr>
		</table></td>
		</tr>
		</table>
		</body>
		</html>
		</cfoutput>
	</cfsavecontent>
	<cfif FORM.sharetype EQ "Page">
		<cfset shareSubject = "Your Friend Has Shared a Page on company.com" />
		<cfelse>
			<cfset shareSubject = "Your Friend Has Shared an Article on company.com" />
	</cfif>
		
	<cfmail from = "#FORM.my_email#" to = "#FORM.f_email#" subject = "#shareSubject#">
		<cfmailpart type="text" wraptext="74">
			You are reading this message as plain text, because your mail reader
			does not handle HTML text.
		</cfmailpart>
		
		<cfmailpart type="html">
			#mailBodyHTM#
		</cfmailpart>
	</cfmail>

	<cfset formPosted = "t" />
</cfif>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Email to a Friend</title>
<style>
body {
	margin:0;
	padding:0;
	background-color:#ffffff;
	color:#999999;
	font-family:Arial, Helvetica, sans-serif;
}
#share_form {
	padding:8px;
	border:2px solid #003161;
	font-size:11px;
}
form div {
	margin:8px auto;
	padding:0;
	width:200px;
	text-align:left;
}
label {
	display:block;
	margin:0;
	font-size:10px;
	text-transform:uppercase;
	color:#003161;
	text-align:left;
}
input {
	border:2px solid #dfe7ed;
	height:14px;
	line-height:14px;
	color:#666666;
	width:200px;
}
input#send {
	display:block;
	margin:8px auto;
	padding:4px 0;
	width:200px;
	height:auto;
	border:2px solid #003161;
	background-color:#dfe7ed;
	border-radius:8px;
	text-align:center;
	font-weight:bold;
	font-size:12px;
	text-transform:uppercase;
	color:#003161;
}
input#send:hover {
	background-color:#80a1b6;
	color:#ffffff;
}

input#sendDIS {
	display:block;
	margin:8px auto;
	padding:4px 0;
	width:200px;
	height:auto;
	border:2px solid #999999;
	background-color:#CCC;
	border-radius:8px;
	text-align:center;
	font-weight:bold;
	font-size:12px;
	text-transform:uppercase;
	color:#666;
}
</style>

<!-- CF javascript form validation -->
<script type="text/javascript" src="http://www.company.com/scripts/cfform.js"></script>
<script type="text/javascript" src="http://www.company.com/scripts/masks.js"></script>
</head>

<body>
<cfoutput>
<cfif formPosted EQ "t">
	<p align="center"><strong>Thank you for your interest.</strong><br />Your email has been sent.</p>
	<cfelse>
		<cfif validLink EQ "t">
			<!--- check for valid QueryStrings --->
			<cfform name="share_form" id="share_form" method="post" action="http://www.company.com/company/Send.cfm?frm=sent" onsubmit="return _CF_checkform(this)">
			
				<div>
					<label>From:</label>
					<cfinput type="text" name="my_email" id="my_email" value="Your Email" size="25" onFocus="this.value='';" validate="email" required="Yes" message="Error From field: Please enter a valid email address" />
				</div>
				<div>
					<label>To:</label>
					<cfinput type="text" name="f_email" id="f_email" value="Friend's Email" size="25" onFocus="this.value='';" validate="email" required="Yes" message="Error To field: Please enter a valid email address" />
				</div>
					<cfinput type="hidden" name="title" value="#url.title#" />
					<cfinput type="hidden" name="url" value="#url.link#" />
					<cfinput type="hidden" name="sharetype" value="#url.sharetype#" />
					<cfinput type="submit" name="send" value="Send Email" id="send" />
			</cfform>
		<cfelse>
		<!--- if no valid querystrings, do not display form --->
			<center>
			<h2>Invalid Access</h2>
			<p>Please return to <a href="http://www.company.com">company.com</a></p>
			</center>
		</cfif> <!--- end check validLink --->
</cfif>
</cfoutput> <!--- end check formPosted --->
</body>
</html>

Open in new window

0
 
LVL 52

Expert Comment

by:_agx_
ID: 40494625
Looks like it would allow a spammer to send out that email - with spam links instead - using any from/to email addresses they wanted, just by doing a fake http post.
0
Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

 

Author Comment

by:JohnMac328
ID: 40494629
Hi agx - that is exactly what is happening - any way to prevent it?
0
 
LVL 52

Accepted Solution

by:
_agx_ earned 2000 total points
ID: 40494663
You need to implement something like captcha or form protect to prevent bots or automated submissions. Examples;

http://cfformmail.riaforge.org/
http://www.bennadel.com/blog/929-preventing-spam-bot-form-submissions-with-coldfusion-revisited.htm
0
 

Author Comment

by:JohnMac328
ID: 40494668
Thanks agx - i will get started.
0

Featured Post

Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
What's worse than having your data encrypted by ransomware? Getting attacked by a so-called "wiper," which simply destroys the data and offers you no hope of ever seeing it again.
The viewer will learn the benefit of using external CSS files and the relationship between class and ID selectors. Create your external css file by saving it as style.css then set up your style tags: (CODE) Reference the nav tag and set your prop…
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question