Solved

CF - Help to prevent injection and or hijack of email server

Posted on 2014-12-11
6
218 Views
Last Modified: 2014-12-11
We have found that emails were being sent from our email server.  We were notified that this is the form that was being used.  I did not write this and was wondering if anyone can point out where the code is allowing this to happen.  For example I use query param to prevent SQL injection but i can't see where this code can be improved. I included the script in a txt file.

Any help is appreciated.

Thanks,
John
0
Comment
Question by:JohnMac328
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40494557
No text file here
0
 

Author Comment

by:JohnMac328
ID: 40494571
I will try again - if it does not work I will paste it also

<!--- Initialize variables --->

<cfif isDefined("url.link") and isDefined("url.title")>
	<cfset validLink = "t" />
	<cfelse>
		<cfset validLink = "f" />
</cfif>

<cfset formPosted = "f" />

<!--- check form submission and insert data --->
<cfif isDefined("FORM.send")>
	<cfset typeLC=LCase(#FORM.sharetype#) />
	<!--- build HTML mail body --->
	<cfsavecontent variable="mailBodyHTM">
		<cfoutput>
		<html>
		<body topmargin="0" bottommargin="0" rightmargin="0" leftmargin="0" bgcolor="##ffffff">
		<style>
		body {
		margin:0;
		padding:0;
		font-family:Arial, Helvetica, sans-serif;
		color:##666666;
		font-size:12px;
		line-height:130%;
		}
		a:link, a:visited {
		color:##003161;
		text-decoration:none;
		}
		a:hover {
		color:##336;
		text-decoration:underline;
		}
		h3 {
		margin-top:1em;
		color:##003161;
		}
		</style>
		<table cellpadding="0" cellspacing="0" width="100%" border="0">
		<tr>
		<td valign="top" align="center"><table width="500" border="0" cellspacing="0" cellpadding="0">
		<tr>
		<td style="border-bottom:2px solid ##003161;"><a hreff="URL"><img src="image" alt="" width="454" height="71" border="0" /></a></td>
		</tr>
		<tr>
		<td><h3>Check Out This #FORM.sharetype#:</h3>
		<p>Your friend, #my_email#, thought you may be interested in this #typeLC# from <a href="URL">Company Name</a>:</p>
		<h3><a href="#FORM.url#">#FORM.title#</a></h3>
		<p>For more market insight read our award-winning C.E.O. blog from Boss, <a href="Link"><strong>Article</strong></a>, or our weekly newsletter, the .</p>
		<table cellpadding="0" cellspacing="0" border="0">
		<tr>
		<td><a href="URL" title="Follow us on Facebook"><img src="image" alt="Facebook" width="32" height="32" border="0" /></a>&nbsp;&nbsp;<a href="https://api.twitter.com/" title="Follow us on Twitter"><img src="http://www.company.com/media/eblast-art/EmailShareIcone_TW32.gif" alt="Facebook" width="32" height="32" border="0" /></a>&nbsp;&nbsp;</td>
		<td><p>Follow us on <a href="http://www.facebook.com/company" title="Follow us on Facebook">Facebook</a> or <a href="https://api.twitter.com/company" title="Follow us on Twitter">Twitter</a>.</p></td>
		</tr>
		</table>
		<p>Best Regards,<br />
		Company<br />
		<a href="http://www.company.com"><strong>www.company.com</strong></a></p>
		</td>
		</tr>
		<tr>
		<td style="border-top:2px solid ##003161; font-size:11px; text-align:center;"><p>company&bull; <a href="http://www.company.com">www.company.com</a> &bull; </p></td>
		</tr>
		</table></td>
		</tr>
		</table>
		</body>
		</html>
		</cfoutput>
	</cfsavecontent>
	<cfif FORM.sharetype EQ "Page">
		<cfset shareSubject = "Your Friend Has Shared a Page on company.com" />
		<cfelse>
			<cfset shareSubject = "Your Friend Has Shared an Article on company.com" />
	</cfif>
		
	<cfmail from = "#FORM.my_email#" to = "#FORM.f_email#" subject = "#shareSubject#">
		<cfmailpart type="text" wraptext="74">
			You are reading this message as plain text, because your mail reader
			does not handle HTML text.
		</cfmailpart>
		
		<cfmailpart type="html">
			#mailBodyHTM#
		</cfmailpart>
	</cfmail>

	<cfset formPosted = "t" />
</cfif>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Email to a Friend</title>
<style>
body {
	margin:0;
	padding:0;
	background-color:#ffffff;
	color:#999999;
	font-family:Arial, Helvetica, sans-serif;
}
#share_form {
	padding:8px;
	border:2px solid #003161;
	font-size:11px;
}
form div {
	margin:8px auto;
	padding:0;
	width:200px;
	text-align:left;
}
label {
	display:block;
	margin:0;
	font-size:10px;
	text-transform:uppercase;
	color:#003161;
	text-align:left;
}
input {
	border:2px solid #dfe7ed;
	height:14px;
	line-height:14px;
	color:#666666;
	width:200px;
}
input#send {
	display:block;
	margin:8px auto;
	padding:4px 0;
	width:200px;
	height:auto;
	border:2px solid #003161;
	background-color:#dfe7ed;
	border-radius:8px;
	text-align:center;
	font-weight:bold;
	font-size:12px;
	text-transform:uppercase;
	color:#003161;
}
input#send:hover {
	background-color:#80a1b6;
	color:#ffffff;
}

input#sendDIS {
	display:block;
	margin:8px auto;
	padding:4px 0;
	width:200px;
	height:auto;
	border:2px solid #999999;
	background-color:#CCC;
	border-radius:8px;
	text-align:center;
	font-weight:bold;
	font-size:12px;
	text-transform:uppercase;
	color:#666;
}
</style>

<!-- CF javascript form validation -->
<script type="text/javascript" src="http://www.company.com/scripts/cfform.js"></script>
<script type="text/javascript" src="http://www.company.com/scripts/masks.js"></script>
</head>

<body>
<cfoutput>
<cfif formPosted EQ "t">
	<p align="center"><strong>Thank you for your interest.</strong><br />Your email has been sent.</p>
	<cfelse>
		<cfif validLink EQ "t">
			<!--- check for valid QueryStrings --->
			<cfform name="share_form" id="share_form" method="post" action="http://www.company.com/company/Send.cfm?frm=sent" onsubmit="return _CF_checkform(this)">
			
				<div>
					<label>From:</label>
					<cfinput type="text" name="my_email" id="my_email" value="Your Email" size="25" onFocus="this.value='';" validate="email" required="Yes" message="Error From field: Please enter a valid email address" />
				</div>
				<div>
					<label>To:</label>
					<cfinput type="text" name="f_email" id="f_email" value="Friend's Email" size="25" onFocus="this.value='';" validate="email" required="Yes" message="Error To field: Please enter a valid email address" />
				</div>
					<cfinput type="hidden" name="title" value="#url.title#" />
					<cfinput type="hidden" name="url" value="#url.link#" />
					<cfinput type="hidden" name="sharetype" value="#url.sharetype#" />
					<cfinput type="submit" name="send" value="Send Email" id="send" />
			</cfform>
		<cfelse>
		<!--- if no valid querystrings, do not display form --->
			<center>
			<h2>Invalid Access</h2>
			<p>Please return to <a href="http://www.company.com">company.com</a></p>
			</center>
		</cfif> <!--- end check validLink --->
</cfif>
</cfoutput> <!--- end check formPosted --->
</body>
</html>

Open in new window

0
 
LVL 52

Expert Comment

by:_agx_
ID: 40494625
Looks like it would allow a spammer to send out that email - with spam links instead - using any from/to email addresses they wanted, just by doing a fake http post.
0
Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

 

Author Comment

by:JohnMac328
ID: 40494629
Hi agx - that is exactly what is happening - any way to prevent it?
0
 
LVL 52

Accepted Solution

by:
_agx_ earned 500 total points
ID: 40494663
You need to implement something like captcha or form protect to prevent bots or automated submissions. Examples;

http://cfformmail.riaforge.org/
http://www.bennadel.com/blog/929-preventing-spam-bot-form-submissions-with-coldfusion-revisited.htm
0
 

Author Comment

by:JohnMac328
ID: 40494668
Thanks agx - i will get started.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Ransomware continues to grow in reach and sophistication, putting data everywhere at risk. Learn how to avoid being caught in its sinister clutches with these 11 key tips.
The viewer will the learn the benefit of plain text editors and code an HTML5 based template for use in further tutorials.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question