Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

CF - Help to prevent injection and or hijack of email server

Posted on 2014-12-11
6
217 Views
Last Modified: 2014-12-11
We have found that emails were being sent from our email server.  We were notified that this is the form that was being used.  I did not write this and was wondering if anyone can point out where the code is allowing this to happen.  For example I use query param to prevent SQL injection but i can't see where this code can be improved. I included the script in a txt file.

Any help is appreciated.

Thanks,
John
0
Comment
Question by:JohnMac328
  • 3
  • 2
6 Comments
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40494557
No text file here
0
 

Author Comment

by:JohnMac328
ID: 40494571
I will try again - if it does not work I will paste it also

<!--- Initialize variables --->

<cfif isDefined("url.link") and isDefined("url.title")>
	<cfset validLink = "t" />
	<cfelse>
		<cfset validLink = "f" />
</cfif>

<cfset formPosted = "f" />

<!--- check form submission and insert data --->
<cfif isDefined("FORM.send")>
	<cfset typeLC=LCase(#FORM.sharetype#) />
	<!--- build HTML mail body --->
	<cfsavecontent variable="mailBodyHTM">
		<cfoutput>
		<html>
		<body topmargin="0" bottommargin="0" rightmargin="0" leftmargin="0" bgcolor="##ffffff">
		<style>
		body {
		margin:0;
		padding:0;
		font-family:Arial, Helvetica, sans-serif;
		color:##666666;
		font-size:12px;
		line-height:130%;
		}
		a:link, a:visited {
		color:##003161;
		text-decoration:none;
		}
		a:hover {
		color:##336;
		text-decoration:underline;
		}
		h3 {
		margin-top:1em;
		color:##003161;
		}
		</style>
		<table cellpadding="0" cellspacing="0" width="100%" border="0">
		<tr>
		<td valign="top" align="center"><table width="500" border="0" cellspacing="0" cellpadding="0">
		<tr>
		<td style="border-bottom:2px solid ##003161;"><a hreff="URL"><img src="image" alt="" width="454" height="71" border="0" /></a></td>
		</tr>
		<tr>
		<td><h3>Check Out This #FORM.sharetype#:</h3>
		<p>Your friend, #my_email#, thought you may be interested in this #typeLC# from <a href="URL">Company Name</a>:</p>
		<h3><a href="#FORM.url#">#FORM.title#</a></h3>
		<p>For more market insight read our award-winning C.E.O. blog from Boss, <a href="Link"><strong>Article</strong></a>, or our weekly newsletter, the .</p>
		<table cellpadding="0" cellspacing="0" border="0">
		<tr>
		<td><a href="URL" title="Follow us on Facebook"><img src="image" alt="Facebook" width="32" height="32" border="0" /></a>&nbsp;&nbsp;<a href="https://api.twitter.com/" title="Follow us on Twitter"><img src="http://www.company.com/media/eblast-art/EmailShareIcone_TW32.gif" alt="Facebook" width="32" height="32" border="0" /></a>&nbsp;&nbsp;</td>
		<td><p>Follow us on <a href="http://www.facebook.com/company" title="Follow us on Facebook">Facebook</a> or <a href="https://api.twitter.com/company" title="Follow us on Twitter">Twitter</a>.</p></td>
		</tr>
		</table>
		<p>Best Regards,<br />
		Company<br />
		<a href="http://www.company.com"><strong>www.company.com</strong></a></p>
		</td>
		</tr>
		<tr>
		<td style="border-top:2px solid ##003161; font-size:11px; text-align:center;"><p>company&bull; <a href="http://www.company.com">www.company.com</a> &bull; </p></td>
		</tr>
		</table></td>
		</tr>
		</table>
		</body>
		</html>
		</cfoutput>
	</cfsavecontent>
	<cfif FORM.sharetype EQ "Page">
		<cfset shareSubject = "Your Friend Has Shared a Page on company.com" />
		<cfelse>
			<cfset shareSubject = "Your Friend Has Shared an Article on company.com" />
	</cfif>
		
	<cfmail from = "#FORM.my_email#" to = "#FORM.f_email#" subject = "#shareSubject#">
		<cfmailpart type="text" wraptext="74">
			You are reading this message as plain text, because your mail reader
			does not handle HTML text.
		</cfmailpart>
		
		<cfmailpart type="html">
			#mailBodyHTM#
		</cfmailpart>
	</cfmail>

	<cfset formPosted = "t" />
</cfif>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Email to a Friend</title>
<style>
body {
	margin:0;
	padding:0;
	background-color:#ffffff;
	color:#999999;
	font-family:Arial, Helvetica, sans-serif;
}
#share_form {
	padding:8px;
	border:2px solid #003161;
	font-size:11px;
}
form div {
	margin:8px auto;
	padding:0;
	width:200px;
	text-align:left;
}
label {
	display:block;
	margin:0;
	font-size:10px;
	text-transform:uppercase;
	color:#003161;
	text-align:left;
}
input {
	border:2px solid #dfe7ed;
	height:14px;
	line-height:14px;
	color:#666666;
	width:200px;
}
input#send {
	display:block;
	margin:8px auto;
	padding:4px 0;
	width:200px;
	height:auto;
	border:2px solid #003161;
	background-color:#dfe7ed;
	border-radius:8px;
	text-align:center;
	font-weight:bold;
	font-size:12px;
	text-transform:uppercase;
	color:#003161;
}
input#send:hover {
	background-color:#80a1b6;
	color:#ffffff;
}

input#sendDIS {
	display:block;
	margin:8px auto;
	padding:4px 0;
	width:200px;
	height:auto;
	border:2px solid #999999;
	background-color:#CCC;
	border-radius:8px;
	text-align:center;
	font-weight:bold;
	font-size:12px;
	text-transform:uppercase;
	color:#666;
}
</style>

<!-- CF javascript form validation -->
<script type="text/javascript" src="http://www.company.com/scripts/cfform.js"></script>
<script type="text/javascript" src="http://www.company.com/scripts/masks.js"></script>
</head>

<body>
<cfoutput>
<cfif formPosted EQ "t">
	<p align="center"><strong>Thank you for your interest.</strong><br />Your email has been sent.</p>
	<cfelse>
		<cfif validLink EQ "t">
			<!--- check for valid QueryStrings --->
			<cfform name="share_form" id="share_form" method="post" action="http://www.company.com/company/Send.cfm?frm=sent" onsubmit="return _CF_checkform(this)">
			
				<div>
					<label>From:</label>
					<cfinput type="text" name="my_email" id="my_email" value="Your Email" size="25" onFocus="this.value='';" validate="email" required="Yes" message="Error From field: Please enter a valid email address" />
				</div>
				<div>
					<label>To:</label>
					<cfinput type="text" name="f_email" id="f_email" value="Friend's Email" size="25" onFocus="this.value='';" validate="email" required="Yes" message="Error To field: Please enter a valid email address" />
				</div>
					<cfinput type="hidden" name="title" value="#url.title#" />
					<cfinput type="hidden" name="url" value="#url.link#" />
					<cfinput type="hidden" name="sharetype" value="#url.sharetype#" />
					<cfinput type="submit" name="send" value="Send Email" id="send" />
			</cfform>
		<cfelse>
		<!--- if no valid querystrings, do not display form --->
			<center>
			<h2>Invalid Access</h2>
			<p>Please return to <a href="http://www.company.com">company.com</a></p>
			</center>
		</cfif> <!--- end check validLink --->
</cfif>
</cfoutput> <!--- end check formPosted --->
</body>
</html>

Open in new window

0
 
LVL 52

Expert Comment

by:_agx_
ID: 40494625
Looks like it would allow a spammer to send out that email - with spam links instead - using any from/to email addresses they wanted, just by doing a fake http post.
0
Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

 

Author Comment

by:JohnMac328
ID: 40494629
Hi agx - that is exactly what is happening - any way to prevent it?
0
 
LVL 52

Accepted Solution

by:
_agx_ earned 500 total points
ID: 40494663
You need to implement something like captcha or form protect to prevent bots or automated submissions. Examples;

http://cfformmail.riaforge.org/
http://www.bennadel.com/blog/929-preventing-spam-bot-form-submissions-with-coldfusion-revisited.htm
0
 

Author Comment

by:JohnMac328
ID: 40494668
Thanks agx - i will get started.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
In this tutorial viewers will learn how to embed an audio file in a webpage using HTML5. Ensure your DOCTYPE declaration is set to HTML5: : The declaration should display (CODE) HTML5 is supported by the most recent versions of all major browsers…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question