Solved

CF - Help to prevent injection and or hijack of email server

Posted on 2014-12-11
6
213 Views
Last Modified: 2014-12-11
We have found that emails were being sent from our email server.  We were notified that this is the form that was being used.  I did not write this and was wondering if anyone can point out where the code is allowing this to happen.  For example I use query param to prevent SQL injection but i can't see where this code can be improved. I included the script in a txt file.

Any help is appreciated.

Thanks,
John
0
Comment
Question by:JohnMac328
  • 3
  • 2
6 Comments
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
No text file here
0
 

Author Comment

by:JohnMac328
Comment Utility
I will try again - if it does not work I will paste it also

<!--- Initialize variables --->

<cfif isDefined("url.link") and isDefined("url.title")>
	<cfset validLink = "t" />
	<cfelse>
		<cfset validLink = "f" />
</cfif>

<cfset formPosted = "f" />

<!--- check form submission and insert data --->
<cfif isDefined("FORM.send")>
	<cfset typeLC=LCase(#FORM.sharetype#) />
	<!--- build HTML mail body --->
	<cfsavecontent variable="mailBodyHTM">
		<cfoutput>
		<html>
		<body topmargin="0" bottommargin="0" rightmargin="0" leftmargin="0" bgcolor="##ffffff">
		<style>
		body {
		margin:0;
		padding:0;
		font-family:Arial, Helvetica, sans-serif;
		color:##666666;
		font-size:12px;
		line-height:130%;
		}
		a:link, a:visited {
		color:##003161;
		text-decoration:none;
		}
		a:hover {
		color:##336;
		text-decoration:underline;
		}
		h3 {
		margin-top:1em;
		color:##003161;
		}
		</style>
		<table cellpadding="0" cellspacing="0" width="100%" border="0">
		<tr>
		<td valign="top" align="center"><table width="500" border="0" cellspacing="0" cellpadding="0">
		<tr>
		<td style="border-bottom:2px solid ##003161;"><a hreff="URL"><img src="image" alt="" width="454" height="71" border="0" /></a></td>
		</tr>
		<tr>
		<td><h3>Check Out This #FORM.sharetype#:</h3>
		<p>Your friend, #my_email#, thought you may be interested in this #typeLC# from <a href="URL">Company Name</a>:</p>
		<h3><a href="#FORM.url#">#FORM.title#</a></h3>
		<p>For more market insight read our award-winning C.E.O. blog from Boss, <a href="Link"><strong>Article</strong></a>, or our weekly newsletter, the .</p>
		<table cellpadding="0" cellspacing="0" border="0">
		<tr>
		<td><a href="URL" title="Follow us on Facebook"><img src="image" alt="Facebook" width="32" height="32" border="0" /></a>&nbsp;&nbsp;<a href="https://api.twitter.com/" title="Follow us on Twitter"><img src="http://www.company.com/media/eblast-art/EmailShareIcone_TW32.gif" alt="Facebook" width="32" height="32" border="0" /></a>&nbsp;&nbsp;</td>
		<td><p>Follow us on <a href="http://www.facebook.com/company" title="Follow us on Facebook">Facebook</a> or <a href="https://api.twitter.com/company" title="Follow us on Twitter">Twitter</a>.</p></td>
		</tr>
		</table>
		<p>Best Regards,<br />
		Company<br />
		<a href="http://www.company.com"><strong>www.company.com</strong></a></p>
		</td>
		</tr>
		<tr>
		<td style="border-top:2px solid ##003161; font-size:11px; text-align:center;"><p>company&bull; <a href="http://www.company.com">www.company.com</a> &bull; </p></td>
		</tr>
		</table></td>
		</tr>
		</table>
		</body>
		</html>
		</cfoutput>
	</cfsavecontent>
	<cfif FORM.sharetype EQ "Page">
		<cfset shareSubject = "Your Friend Has Shared a Page on company.com" />
		<cfelse>
			<cfset shareSubject = "Your Friend Has Shared an Article on company.com" />
	</cfif>
		
	<cfmail from = "#FORM.my_email#" to = "#FORM.f_email#" subject = "#shareSubject#">
		<cfmailpart type="text" wraptext="74">
			You are reading this message as plain text, because your mail reader
			does not handle HTML text.
		</cfmailpart>
		
		<cfmailpart type="html">
			#mailBodyHTM#
		</cfmailpart>
	</cfmail>

	<cfset formPosted = "t" />
</cfif>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Email to a Friend</title>
<style>
body {
	margin:0;
	padding:0;
	background-color:#ffffff;
	color:#999999;
	font-family:Arial, Helvetica, sans-serif;
}
#share_form {
	padding:8px;
	border:2px solid #003161;
	font-size:11px;
}
form div {
	margin:8px auto;
	padding:0;
	width:200px;
	text-align:left;
}
label {
	display:block;
	margin:0;
	font-size:10px;
	text-transform:uppercase;
	color:#003161;
	text-align:left;
}
input {
	border:2px solid #dfe7ed;
	height:14px;
	line-height:14px;
	color:#666666;
	width:200px;
}
input#send {
	display:block;
	margin:8px auto;
	padding:4px 0;
	width:200px;
	height:auto;
	border:2px solid #003161;
	background-color:#dfe7ed;
	border-radius:8px;
	text-align:center;
	font-weight:bold;
	font-size:12px;
	text-transform:uppercase;
	color:#003161;
}
input#send:hover {
	background-color:#80a1b6;
	color:#ffffff;
}

input#sendDIS {
	display:block;
	margin:8px auto;
	padding:4px 0;
	width:200px;
	height:auto;
	border:2px solid #999999;
	background-color:#CCC;
	border-radius:8px;
	text-align:center;
	font-weight:bold;
	font-size:12px;
	text-transform:uppercase;
	color:#666;
}
</style>

<!-- CF javascript form validation -->
<script type="text/javascript" src="http://www.company.com/scripts/cfform.js"></script>
<script type="text/javascript" src="http://www.company.com/scripts/masks.js"></script>
</head>

<body>
<cfoutput>
<cfif formPosted EQ "t">
	<p align="center"><strong>Thank you for your interest.</strong><br />Your email has been sent.</p>
	<cfelse>
		<cfif validLink EQ "t">
			<!--- check for valid QueryStrings --->
			<cfform name="share_form" id="share_form" method="post" action="http://www.company.com/company/Send.cfm?frm=sent" onsubmit="return _CF_checkform(this)">
			
				<div>
					<label>From:</label>
					<cfinput type="text" name="my_email" id="my_email" value="Your Email" size="25" onFocus="this.value='';" validate="email" required="Yes" message="Error From field: Please enter a valid email address" />
				</div>
				<div>
					<label>To:</label>
					<cfinput type="text" name="f_email" id="f_email" value="Friend's Email" size="25" onFocus="this.value='';" validate="email" required="Yes" message="Error To field: Please enter a valid email address" />
				</div>
					<cfinput type="hidden" name="title" value="#url.title#" />
					<cfinput type="hidden" name="url" value="#url.link#" />
					<cfinput type="hidden" name="sharetype" value="#url.sharetype#" />
					<cfinput type="submit" name="send" value="Send Email" id="send" />
			</cfform>
		<cfelse>
		<!--- if no valid querystrings, do not display form --->
			<center>
			<h2>Invalid Access</h2>
			<p>Please return to <a href="http://www.company.com">company.com</a></p>
			</center>
		</cfif> <!--- end check validLink --->
</cfif>
</cfoutput> <!--- end check formPosted --->
</body>
</html>

Open in new window

0
 
LVL 52

Expert Comment

by:_agx_
Comment Utility
Looks like it would allow a spammer to send out that email - with spam links instead - using any from/to email addresses they wanted, just by doing a fake http post.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:JohnMac328
Comment Utility
Hi agx - that is exactly what is happening - any way to prevent it?
0
 
LVL 52

Accepted Solution

by:
_agx_ earned 500 total points
Comment Utility
You need to implement something like captcha or form protect to prevent bots or automated submissions. Examples;

http://cfformmail.riaforge.org/
http://www.bennadel.com/blog/929-preventing-spam-bot-form-submissions-with-coldfusion-revisited.htm
0
 

Author Comment

by:JohnMac328
Comment Utility
Thanks agx - i will get started.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
In this tutorial viewers will learn how to style a corner ribbon overlay for an image using CSS Create a new class by typing ".Ribbon":  Define the class' "display:" as "inline-block": Define its "position:" as "relative": Define its "overflow:" as …
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now