Re: ColdFusion / authorize.net question
Glad to be of help, and don't worry about the boneheadedness. I spent hours last week trying to debug a similar issue with a form only to discover I had a minus sign where I needed an equal sign. Stuff happens. On Mon, Aug 18, 2014 at 8:05 PM, Eric Bourland wrote: > > Maureen, you're my hero. That worked. Dean, Roger, Les -- thank you all very > much. > > So -- I need to rename some form fields now. I think I can take it from here. > > On the phone with authorize.net right now to change API Login Key and > Transaction ID after posting them here with my code in a moment of extreme > boneheadedness. > > Thanks very much. =) ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359158 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: EMail Injection Attack
I'd also enlist the help of your hosting provider if server level troubleshooting is part of your service level agreement. It's usually in their best interest to squash this type of activity, as it can get their ip addreses and ranges blacklisted. Byron Mann Lead Engineer & Architect HostMySite.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359157 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: ColdFusion / authorize.net question
Maureen, you're my hero. That worked. Dean, Roger, Les -- thank you all very much. So -- I need to rename some form fields now. I think I can take it from here. On the phone with authorize.net right now to change API Login Key and Transaction ID after posting them here with my code in a moment of extreme boneheadedness. Thanks very much. =) Eric *** Eric Bourland Internet Project Development Washington DC kind | creative | reliable > To: cf-talk@houseoffusion.com > Subject: Re: ColdFusion / authorize.net question > Date: Mon, 18 Aug 2014 19:36:40 -0400 > From: mamamaur...@gmail.com > > > You now have two form fields with the same name. You can lose the > hidden field for x_last_name since you now are getting it from the > input. > > > > On Mon, Aug 18, 2014 at 7:21 PM, Eric Bourland wrote: > > > >> > >>>An easier option would be to just rename your LastName > >> > field to x_last_name and not have to deal with the javascript at all. > > > > Dean, Maureen: I agree that simple is best. So, I dispensed with cfset, and > > used this: > > > > > > > > > > Enter Last Name: > > > > > ...but ColdFusion objects to the syntax of this line: > > > > > /> > > > > Am I on the right track? I feel like I have been missing something quite > > obvious. Thank you again for your help. > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359156 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: ColdFusion / authorize.net question
You now have two form fields with the same name. You can lose the hidden field for x_last_name since you now are getting it from the input. On Mon, Aug 18, 2014 at 7:21 PM, Eric Bourland wrote: > >> > >>>An easier option would be to just rename your LastName >> > field to x_last_name and not have to deal with the javascript at all. > > Dean, Maureen: I agree that simple is best. So, I dispensed with cfset, and > used this: > > > > > Enter Last Name: > > ...but ColdFusion objects to the syntax of this line: > > /> > > Am I on the right track? I feel like I have been missing something quite > obvious. Thank you again for your help. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359155 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: ColdFusion / authorize.net question
You don'tneed the double quotes around form.lastname in a cfset statement. Eric Bourland wrote: > > Dear Roger, > > Thanks for that. However, > > > > inserts value "form.lastname" in the Last Name field in the authorize.net > form. I think I need the outputs. I am also wondering why any value that > occurs between the outputs gets .. stolen. Gone. > > I'll try this next: > > >>>An easier option would be to just rename your LastName > field to x_last_name and not have to deal with the javascript at all. -- LinkedIn: http://www.linkedin.com/pub/roger-austin/8/a4/60 Twitter: http://twitter.com/RogerTheGeek Blog: http://RogerTheGeek.wordpress.com/ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359154 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: ColdFusion / authorize.net question
> > >>>An easier option would be to just rename your LastName > > field to x_last_name and not have to deal with the javascript at all. Dean, Maureen: I agree that simple is best. So, I dispensed with cfset, and used this: Enter Last Name: ...but ColdFusion objects to the syntax of this line: Am I on the right track? I feel like I have been missing something quite obvious. Thank you again for your help. Eric *** Eric Bourland Internet Project Development Washington DC kind | creative | reliable ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359153 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: ColdFusion / authorize.net question
but in order for this to work, you need to have a form field with name="lastname" and you don't appear to have that in the code you posted. And I agree with Roger that renaming the field names to the variable name you need to send is the simpler solution. On Mon, Aug 18, 2014 at 7:00 PM, Eric Bourland wrote: > > Dear Roger, > > Thanks for that. However, > > > > inserts value "form.lastname" in the Last Name field in the authorize.net > form. I think I need the outputs. I am also wondering why any value that > occurs between the outputs gets .. stolen. Gone. > > I'll try this next: > > >>>An easier option would be to just rename your LastName > field to x_last_name and not have to deal with the javascript at all. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359151 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: ColdFusion / authorize.net question
...nd obviously I am going to generate a new transaction key since I just posted mine. sigh. *** Eric Bourland Internet Project Development Washington DC kind | creative | reliable > To: cf-talk@houseoffusion.com > Subject: RE: ColdFusion / authorize.net question > Date: Mon, 18 Aug 2014 23:00:07 + > From: ebwebw...@outlook.com > > > Dear Roger, > > Thanks for that. However, > > > > inserts value "form.lastname" in the Last Name field in the authorize.net > form. I think I need the outputs. I am also wondering why any value that > occurs between the outputs gets .. stolen. Gone. > > I'll try this next: > > >>>An easier option would be to just rename your LastName > field to x_last_name and not have to deal with the javascript at all. > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359152 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: ColdFusion / authorize.net question
Dear Roger, Thanks for that. However, inserts value "form.lastname" in the Last Name field in the authorize.net form. I think I need the outputs. I am also wondering why any value that occurs between the outputs gets .. stolen. Gone. I'll try this next: >>>An easier option would be to just rename your LastName field to x_last_name and not have to deal with the javascript at all. *** Eric Bourland Internet Project Development Washington DC kind | creative | reliable > To: cf-talk@houseoffusion.com > Subject: RE: ColdFusion / authorize.net question > Date: Mon, 18 Aug 2014 22:47:08 + > From: raust...@nc.rr.com > > > I might try > > instead of > > Eric Bourland wrote: > > > > http://nnvawi.org/sample2.cfm > > > > When I use the code, below, then the Last Name field in the authorize.net > > page gets populated with: > > > > > > > > So it looks like something is ... erasing the value of #form.lastname#: > > > > > > > > >>>An easier option would be to just rename your LastName field to > > >>>x_last_name and not have to deal with the javascript at all. > > > > This makes a tremendous amount of sense ... and I did try it -- I am pretty > > sure I did ... around 3 this morning. I was pretty tired then, so I will > > try it again and let you know how it goes. > > > > But, it seems like this code should work, yes? Thank you again for your > > help. Eric > > > > [code] > > > > > > > > > "http://www.w3.org/TR/html4/loose.dtd";> > > > > > > Sample SIM Implementation > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://secure.authorize.net/gateway/transact.dll";> > > > > > > > > > > > > > > > > > > > > > DateConvert('local2UTC', Now())) > > > > > > > > key="#transactionKey#"> > > > > > > > > > > > > Amount: #amount# > > Description: #description# > > > > > > > > > > > > Enter Last Name: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > [/code] > > > > > > > > > > > > > > > > *** > > > > Eric Bourland > > > > Internet Project Development > > > > Washington DC > > > > kind | creative | reliable > > > > > > > > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359150 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: ColdFusion / authorize.net question
I might try instead of Eric Bourland wrote: > > http://nnvawi.org/sample2.cfm > > When I use the code, below, then the Last Name field in the authorize.net > page gets populated with: > > > > So it looks like something is ... erasing the value of #form.lastname#: > > > > >>>An easier option would be to just rename your LastName field to > >>>x_last_name and not have to deal with the javascript at all. > > This makes a tremendous amount of sense ... and I did try it -- I am pretty > sure I did ... around 3 this morning. I was pretty tired then, so I will try > it again and let you know how it goes. > > But, it seems like this code should work, yes? Thank you again for your help. > Eric > > [code] > > > >"http://www.w3.org/TR/html4/loose.dtd";> > > > Sample SIM Implementation > > > > > > > > > > > > > > > > > > > > > > > https://secure.authorize.net/gateway/transact.dll";> > > > > > > > > > > DateConvert('local2UTC', Now())) > > > > key="#transactionKey#"> > > > > > > Amount: #amount# > Description: #description# > > > > > > Enter Last Name: > > > > > > > > > > > > > > > > > > > > > [/code] > > > > > > > > *** > > Eric Bourland > > Internet Project Development > > Washington DC > > kind | creative | reliable > > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359149 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: ColdFusion / authorize.net question
http://nnvawi.org/sample2.cfm When I use the code, below, then the Last Name field in the authorize.net page gets populated with: So it looks like something is ... erasing the value of #form.lastname#: >>>An easier option would be to just rename your LastName field to x_last_name >>>and not have to deal with the javascript at all. This makes a tremendous amount of sense ... and I did try it -- I am pretty sure I did ... around 3 this morning. I was pretty tired then, so I will try it again and let you know how it goes. But, it seems like this code should work, yes? Thank you again for your help. Eric [code] http://www.w3.org/TR/html4/loose.dtd";> Sample SIM Implementation https://secure.authorize.net/gateway/transact.dll";> Amount: #amount# Description: #description# Enter Last Name: [/code] *** Eric Bourland Internet Project Development Washington DC kind | creative | reliable ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359148 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: ColdFusion / authorize.net question
Dean and Les, Thank you for these helpful remarks. Dean, I think I did implement, in another draft of this form, the idea that you suggested -- but I will check that and confirm. I've been working on this task stubbornly for three days and have many versions of this code. I will check my work; try your suggestion; and report back here. Thanks so much. Eric > To: cf-talk@houseoffusion.com > Subject: Re: ColdFusion / authorize.net question > Date: Mon, 18 Aug 2014 15:02:44 -0400 > From: dean...@gmail.com > > > Les, your implementation is using the Direct Post Method (DPM), not the > Server Integration Method (SIM) that Eric is trying to implement. > > > On Mon, Aug 18, 2014 at 2:52 PM, Les Mizzell wrote: > > > > > On 8/18/2014 12:36 AM, Eric Bourland wrote: > > > Has anyone here tried out the ColdFusion SIM* sample code from > > authorize.net? I > > > > A version of the below has been working great for me. I use it as a > > include on my form processing page that also records the appropriate > > data to the customers record in the database (NOT the credit card info! > > NEVER do this!) > > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359147 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: EMail Injection Attack
Garry The hack files are not always called h.cfm. In fact that was just one named used by one attacker. there was also i.cfm by another attacker. Others have used other file names and/or other techniques as described in this blog post that Mark Kruger wrote that describes an exploit method I found. The file can be named anything. and its does not even need to be a .cfm or .cfc file. As this post points out (http://www.coldfusionmuse.com/index.cfm/2013/12/5/attack.vector.missing.template.handler ) Odds are someone was able to insert onto your server a "web shell" file that is granting them full access to anything they want on the server. The blog post by Charlie that was already mentioned is a great resource too. Here is what I would be doing: 1. At this point I would be changing my mail server credentials and going from CFAdmin mail credential settings to template level just to stop the flow of bogus email. 2. Locking down the CFAdmin and CFIDE or disabling it all together. The fastest way on IIS would be to restrict access to CFIDE to the 127.0.0.1 IP address. 3. Next I would do a search of all text files for the existence of " wrote: > > What version of ColdFusion are you currently on and what's your patch > level. I've seen instances where the vulnerability in the AdminAPI is > exploited to upload templates that mass send junk mail. Look for a file > called "h.cfm" in your CFIDE folder and in your webroot. That is the usual > vector for this kind of attack.. > > If you find it, you'll need to assume that your entire server is > potentially compromised as they have the ability to upload and execute any > code in your system... > > -- > Jeff > > > > Original Message >> From: "G T" >> Sent: Monday, August 18, 2014 1:13 PM >> To: "cf-talk" >> Subject: Re: EMail Injection Attack >> >> Hi Robert - Thanks for the reply, yes of course let me explain a bit > more. >> >> While checking our sent mail logs, logged by coldfusion, we noticed > emails were being sent out that was not directly sent through our own > pages. Spam emails that were sent to different outside emails. >> >> So we can see that spam emails were sent outbound, but as of yet, we have > no source of where they're coming from (ie. which pages are compromised). >> >> From what I've been researching, one way this is done by email inject - > where they use form submissions to inject their own coldfusion code to form > their own 'cfmail' sends. > http://www.asadesigner.com/13-coldfusion/07d6a249de5791e6.htm >> >> Please let me know if you need additional info >> >>> Can you explain a bit more what you mean by email injection attack? >>> Do you mean someone is spamming forms that generate forms email, or is >>> someone using some application you have to generate spam? Can you >>> provide a slightly better explanation of what's happening? >>> >>> >>> Robert Harrison >>> Director of Interactive Services >>> >>> Austin & Williams >>> Advertising I Branding I Digital I Direct >>> 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 >>> T 631.231.6600 X 119 F 631.434.7022 >>> http://www.austin-williams.com >>> >>> Blog: http://www.austin-williams.com/blog >>> Twitter: http://www.twitter. >> com/austin_ >> >> > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359146 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: EMail Injection Attack
if sending by CF but not using your code that could mean they are running cf code you didn't write. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359145 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: EMail Injection Attack
To consolidate a few thoughts here - 1) I will be looking to webserver logs and mail sent logs to see if I see any points of contact of when/where the attacks are coming from. If I can isolate the problem to it actually being a page attack (ie. email inject) vs a serverside compromise (ie. environment vulnerabilities) then that will be a great start. 2) My coldfusion server configuration is: Server Product ColdFusion Version 8,0,1,195765 Update Level /C:/ColdFusion8/lib/updates/hf801-3.jar 3) There is no real logs to see where cfmail requests to the spooler are coming from - which is my original question :) so thank you for that info. 4) I will be doing some code cleansing and try to mitigate the issue by implementing a few suggestions including referrer check, stmp authentication, and field checks for injection code. I appreciate all your help, I just came across this community and so far this has been extremely helpful. > Hi All - > > Recently we've been under a email injection attack where we have > unauthorized emails being sent through our coldfusion application. At > this point we are unsure if it is through an email injection attack or > not but if anybody has any advice on how to figure out where the > attack is coming from it would be very helpful. > > My first question is - is there a way to trace back to which page > cfmail is being called from? Are there any logs that I can view that > would allow us to track down what pages are being hijacked? > > Much appreciated, thanks! ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359144 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: EMail Injection Attack
Hey Dean - I'll be looking at my webserver logs to see if I can see any correlation with my mail logs. But to respond to your thought, none of the code so far allows the user to specify who they're sending to. The forms that send email are at the very basic level just notification to our internal recipients on submissions. Thanks! >The easiest thing to do is to scan your site code to see what pages contain >the cfmail tag. The next thing is to look at your web server logs to see >who is requesting those pages. If you allow for the site visitor to specify >who the mail is being sent to, then you are opening yourself up to someone >sending spam through your site. > > > > >> ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359143 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: EMail Injection Attack
Regarding the 'h.cfm' issue, go to the bathroom first (your upholstery will thank me) and THEN sit down and read this. http://www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat and the two follow-on blog entries linked at page bottom. This did quite a job of rocking many worlds and if you are just hearing about it, pray you aren't vulnerable or infected. As for email, here's one of mine: If users are inputting data into your mail headers (i.e. a "your Email" field and you are taking their input) then you need to scrub that input before its put into a cfmail parameter. Something like an isEmail() function for the 'to' if it is an address that is user-submitted. If for example its the email subject then strip out things like linefeeds and breaks. I don't like putting in auth info into the CF administrator (I put dummy info there, in fact). I prefer to put it in via the CF template, but I keep the actual account info in a cf template that is actually not on the web root, and cfincluded into the application via a relative path in Application.cfm. The point of doing that is the file and its sensitive contents is a lot harder to find a way to read if its not web-accessible. I also send mail from CF via a nonstandard port. My mail server is config'd to listen for incoming mail on that additional port and only accept from the CF server's IP. IP-specific holes are poked in firewalls accordingly. This step may not be available with your MS 365 mail server. If MS 365 has frequency filters that spot mail in quantity being sent from User X and takes action if it exceeds a certain threshold, then you want to fire that layer of protection up. All of this is imperfect but as a package its pretty solid. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359142 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: EMail Injection Attack
I currently have logging for sent mail through cfadmin so that is really the way I found out that email is being sent outbound somehow. I do have captcha implementation on my forms, but it's been a bit of time since I initially implemented this, so I was also considering the possibility that the implementation may be flawed now (spammers found a way around such walls). The server we're using to send the email is office 365 so (hopefully) they are not the issue. >Make sure the cfmail option for logging sent mail is enabled via the >CFAdmin. This will tell you if CF is actually sending the mail. The log >file will be in your CF root under logs. I think it's mailsent.log. > >Most likely one of two things. > >You have a web form that sends through another template using the cfmail >tag which does no "human" checking, like a Captcha or checking the delay >between page load and send request. > >Or you have an open relay with the mail server that is being used by CF to >send mail, and CF is not actually the issue. Your mail server logs can log >this, log location will vary based on the server used. There are several >online tools to check if your mail server has an open relay. > >http://mxtoolbox.com/diagnostic.aspx > >~Byron > > > > >> ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359141 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: EMail Injection Attack
The easiest thing to do is to scan your site code to see what pages contain the cfmail tag. The next thing is to look at your web server logs to see who is requesting those pages. If you allow for the site visitor to specify who the mail is being sent to, then you are opening yourself up to someone sending spam through your site. On Mon, Aug 18, 2014 at 4:39 PM, G T wrote: > > The server itself is our own dedicated webserver, and as for our email > server we're using Microsoft 365 so I do not think the compromise is at > that level. > > I may implement the smtp auth piece to at least mitigate the issue as of > now. > > Thanks for the suggestion! > > >Do you have admin control of this server or is it a shared host? If its > a > >server you control then its a simple matter to lock down the mail server, > >right? Require smtp auth for all senders and then use smtp auth in your > >cfmail statements in your code. That would be just step 1 of a hardening > >process that should have more than this layer to it. > > > >I realize this doesn't bear on your discovery question but if this is > >happening at all it points to a hole in security in at least one place. > >And if its a shared host then the situation may not be in your control in > >the first place. > > > > > > > > > >> > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359140 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: EMail Injection Attack
Hey Jeff - This is our current coldfusion setup: Server Product ColdFusion Version 8,0,1,195765 Update Level /C:/ColdFusion8/lib/updates/hf801-3.jar I took a look for the "h.cfm" file under the CDIFE root and the webroot and did a search as well for this file but did not see any results return. My initial reaction was to see if there were patches that I have missed and I did a few patches just recently to make sure I was up to date. But given that we're running on a very old version of coldfusion, and the issue cropped up just recently, I am not sure if there has been an update to fix these types of compromises in newer versions of CF. As for the "h.cfm" - is there any other variants that I need to make sure that I am not missing on looking out for? Thanks for your help! >What version of ColdFusion are you currently on and what's your patch >level. I've seen instances where the vulnerability in the AdminAPI is >exploited to upload templates that mass send junk mail. Look for a file >called "h.cfm" in your CFIDE folder and in your webroot. That is the usual >vector for this kind of attack.. > > If you find it, you'll need to assume that your entire server is >potentially compromised as they have the ability to upload and execute any >code in your system... > > -- > Jeff > > > >> Hi Robert - Thanks for the reply, yes of course let me explain a bit >more. >> >> While checking our sent mail logs, logged by coldfusion, we noticed >emails were being sent out that was not directly sent through our own >pages. Spam emails that were sent to different outside emails. >> >> So we can see that spam emails were sent outbound, but as of yet, we have >no source of where they're coming from (ie. which pages are compromised). >> >> From what I've been researching, one way this is done by email inject - >where they use form submissions to inject their own coldfusion code to form >their own 'cfmail' sends. >http://www.asadesigner.com/13-coldfusion/07d6a249de5791e6.htm >> ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359139 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: EMail Injection Attack
The server itself is our own dedicated webserver, and as for our email server we're using Microsoft 365 so I do not think the compromise is at that level. I may implement the smtp auth piece to at least mitigate the issue as of now. Thanks for the suggestion! >Do you have admin control of this server or is it a shared host? If its a >server you control then its a simple matter to lock down the mail server, >right? Require smtp auth for all senders and then use smtp auth in your >cfmail statements in your code. That would be just step 1 of a hardening >process that should have more than this layer to it. > >I realize this doesn't bear on your discovery question but if this is >happening at all it points to a hole in security in at least one place. >And if its a shared host then the situation may not be in your control in >the first place. > > > > >> ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359138 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: EMail Injection Attack
There are a bunch of things you can do depending on exactly how this is happening. Using STMP authentication is one... but if you think your forms are being spoofed, you may be able to use cgi vars to get some info. You can use CGI referrer to see if the request is coming from the correct page... wrap your cfmail code in CFif referrer is the expected source with an else. If it's coming from the correct page, let it process. If else, dump the vars and referrer IP to a log or send it to yourself in a mail. If you need some help with that I may be able to mock up some sample code tomorrow, but I'm on client need at the moment. Robert Harrison Director of Interactive Services Austin & Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 X 119 F 631.434.7022 http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austin_wi ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359137 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: EMail Injection Attack
What version of ColdFusion are you currently on and what's your patch level. I've seen instances where the vulnerability in the AdminAPI is exploited to upload templates that mass send junk mail. Look for a file called "h.cfm" in your CFIDE folder and in your webroot. That is the usual vector for this kind of attack.. If you find it, you'll need to assume that your entire server is potentially compromised as they have the ability to upload and execute any code in your system... -- Jeff Original Message > From: "G T" > Sent: Monday, August 18, 2014 1:13 PM > To: "cf-talk" > Subject: Re: EMail Injection Attack > > Hi Robert - Thanks for the reply, yes of course let me explain a bit more. > > While checking our sent mail logs, logged by coldfusion, we noticed emails were being sent out that was not directly sent through our own pages. Spam emails that were sent to different outside emails. > > So we can see that spam emails were sent outbound, but as of yet, we have no source of where they're coming from (ie. which pages are compromised). > > From what I've been researching, one way this is done by email inject - where they use form submissions to inject their own coldfusion code to form their own 'cfmail' sends. http://www.asadesigner.com/13-coldfusion/07d6a249de5791e6.htm > > Please let me know if you need additional info > > > Can you explain a bit more what you mean by email injection attack? > > Do you mean someone is spamming forms that generate forms email, or is > > someone using some application you have to generate spam? Can you > > provide a slightly better explanation of what's happening? > > > > > > Robert Harrison > > Director of Interactive Services > > > > Austin & Williams > > Advertising I Branding I Digital I Direct > > 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 > > T 631.231.6600 X 119 F 631.434.7022 > > http://www.austin-williams.com > > > > Blog: http://www.austin-williams.com/blog > > Twitter: http://www.twitter. > com/austin_ > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359135 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: EMail Injection Attack
To try and directly answer your question: I don't believe there are any logs that nail down what template a bit of mail is sent from. mailsent.log only says, for example: "Information","scheduler-3","01/03/14","18:32:18",,"Mail: 'Subject Goes Here' From:'whoe...@wherever.com' To:'vic...@spamworld.com' was successfully sent using mail.openrelay.com" If you are a glutton for punishment you can still do it: Synch the mail sent time in mailsent.log with your web server log's template execution times and you should probably find a correlation that way. However, if it were me, I'd concentrate on solving the root problem and forget about where it might be happening. Do a global search for every instance of "" will show you every template that sends mail. Start cleaning up your code from there. Although the mail server itself is probably the first place you should start. On Mon, Aug 18, 2014 at 1:16 PM, Byron Mann wrote: > > Make sure the cfmail option for logging sent mail is enabled via the > CFAdmin. This will tell you if CF is actually sending the mail. The log > file will be in your CF root under logs. I think it's mailsent.log. > > Most likely one of two things. > > You have a web form that sends through another template using the cfmail > tag which does no "human" checking, like a Captcha or checking the delay > between page load and send request. > > Or you have an open relay with the mail server that is being used by CF to > send mail, and CF is not actually the issue. Your mail server logs can log > this, log location will vary based on the server used. There are several > online tools to check if your mail server has an open relay. > > http://mxtoolbox.com/diagnostic.aspx > > ~Byron > > > On Mon, Aug 18, 2014 at 3:56 PM, Garry Tran wrote: > > > > > Hi All - > > > > Recently we've been under a email injection attack where we have > > unauthorized emails being sent through our coldfusion application. At > this > > point we are unsure if it is through an email injection attack or not but > > if anybody has any advice on how to figure out where the attack is coming > > from it would be very helpful. > > > > My first question is - is there a way to trace back to which page cfmail > > is being called from? Are there any logs that I can view that would > allow > > us to track down what pages are being hijacked? > > > > Much appreciated, thanks! > > > > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359136 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: EMail Injection Attack
No really good way in CF logs that I know to see the actual file that sent the CFMail. Might be able to correlate your web server access logs to the cf mail sent log with the timestamp. Most of the time attacks like this will be all at once, so it should be fairly easy to see in the web logs. ~Byron On Mon, Aug 18, 2014 at 4:12 PM, G T wrote: > > Hi Robert - Thanks for the reply, yes of course let me explain a bit more. > > While checking our sent mail logs, logged by coldfusion, we noticed emails > were being sent out that was not directly sent through our own pages. Spam > emails that were sent to different outside emails. > > So we can see that spam emails were sent outbound, but as of yet, we have > no source of where they're coming from (ie. which pages are compromised). > > From what I've been researching, one way this is done by email inject - > where they use form submissions to inject their own coldfusion code to form > their own 'cfmail' sends. > http://www.asadesigner.com/13-coldfusion/07d6a249de5791e6.htm > > Please let me know if you need additional info > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359134 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: EMail Injection Attack
Do you have admin control of this server or is it a shared host? If its a server you control then its a simple matter to lock down the mail server, right? Require smtp auth for all senders and then use smtp auth in your cfmail statements in your code. That would be just step 1 of a hardening process that should have more than this layer to it. I realize this doesn't bear on your discovery question but if this is happening at all it points to a hole in security in at least one place. And if its a shared host then the situation may not be in your control in the first place. On Mon, Aug 18, 2014 at 1:12 PM, G T wrote: > > Hi Robert - Thanks for the reply, yes of course let me explain a bit more. > > While checking our sent mail logs, logged by coldfusion, we noticed emails > were being sent out that was not directly sent through our own pages. Spam > emails that were sent to different outside emails. > > So we can see that spam emails were sent outbound, but as of yet, we have > no source of where they're coming from (ie. which pages are compromised). > > From what I've been researching, one way this is done by email inject - > where they use form submissions to inject their own coldfusion code to form > their own 'cfmail' sends. > http://www.asadesigner.com/13-coldfusion/07d6a249de5791e6.htm > > Please let me know if you need additional info > > > Can you explain a bit more what you mean by email injection attack? > > Do you mean someone is spamming forms that generate forms email, or is > > someone using some application you have to generate spam? Can you > > provide a slightly better explanation of what's happening? > > > > > > Robert Harrison > > Director of Interactive Services > > > > Austin & Williams > > Advertising I Branding I Digital I Direct > > 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 > > T 631.231.6600 X 119 F 631.434.7022 > > http://www.austin-williams.com > > > > Blog: http://www.austin-williams.com/blog > > Twitter: http://www.twitter. > com/austin_ > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359133 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: EMail Injection Attack
Make sure the cfmail option for logging sent mail is enabled via the CFAdmin. This will tell you if CF is actually sending the mail. The log file will be in your CF root under logs. I think it's mailsent.log. Most likely one of two things. You have a web form that sends through another template using the cfmail tag which does no "human" checking, like a Captcha or checking the delay between page load and send request. Or you have an open relay with the mail server that is being used by CF to send mail, and CF is not actually the issue. Your mail server logs can log this, log location will vary based on the server used. There are several online tools to check if your mail server has an open relay. http://mxtoolbox.com/diagnostic.aspx ~Byron On Mon, Aug 18, 2014 at 3:56 PM, Garry Tran wrote: > > Hi All - > > Recently we've been under a email injection attack where we have > unauthorized emails being sent through our coldfusion application. At this > point we are unsure if it is through an email injection attack or not but > if anybody has any advice on how to figure out where the attack is coming > from it would be very helpful. > > My first question is - is there a way to trace back to which page cfmail > is being called from? Are there any logs that I can view that would allow > us to track down what pages are being hijacked? > > Much appreciated, thanks! > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359132 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: EMail Injection Attack
Hi Robert - Thanks for the reply, yes of course let me explain a bit more. While checking our sent mail logs, logged by coldfusion, we noticed emails were being sent out that was not directly sent through our own pages. Spam emails that were sent to different outside emails. So we can see that spam emails were sent outbound, but as of yet, we have no source of where they're coming from (ie. which pages are compromised). >From what I've been researching, one way this is done by email inject - where >they use form submissions to inject their own coldfusion code to form their >own 'cfmail' sends. >http://www.asadesigner.com/13-coldfusion/07d6a249de5791e6.htm Please let me know if you need additional info > Can you explain a bit more what you mean by email injection attack? > Do you mean someone is spamming forms that generate forms email, or is > someone using some application you have to generate spam? Can you > provide a slightly better explanation of what's happening? > > > Robert Harrison > Director of Interactive Services > > Austin & Williams > Advertising I Branding I Digital I Direct > 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 > T 631.231.6600 X 119 F 631.434.7022 > http://www.austin-williams.com > > Blog: http://www.austin-williams.com/blog > Twitter: http://www.twitter. com/austin_ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359131 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: EMail Injection Attack
Can you explain a bit more what you mean by email injection attack? Do you mean someone is spamming forms that generate forms email, or is someone using some application you have to generate spam? Can you provide a slightly better explanation of what's happening? Robert Harrison Director of Interactive Services Austin & Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 X 119 F 631.434.7022 http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austin_ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359130 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
EMail Injection Attack
Hi All - Recently we've been under a email injection attack where we have unauthorized emails being sent through our coldfusion application. At this point we are unsure if it is through an email injection attack or not but if anybody has any advice on how to figure out where the attack is coming from it would be very helpful. My first question is - is there a way to trace back to which page cfmail is being called from? Are there any logs that I can view that would allow us to track down what pages are being hijacked? Much appreciated, thanks! ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359129 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: ColdFusion / authorize.net question
Les, your implementation is using the Direct Post Method (DPM), not the Server Integration Method (SIM) that Eric is trying to implement. On Mon, Aug 18, 2014 at 2:52 PM, Les Mizzell wrote: > > On 8/18/2014 12:36 AM, Eric Bourland wrote: > > Has anyone here tried out the ColdFusion SIM* sample code from > authorize.net? I > > A version of the below has been working great for me. I use it as a > include on my form processing page that also records the appropriate > data to the customers record in the database (NOT the credit card info! > NEVER do this!) > > > > -- --- Dean M. Lawrence INTERNET DATA TECHNOLOGY p // 888.438.4381 ext. 701 w // www.idatatech.com f // www.facebook.com/idatatech t // www.twitter.com/idatatech Social Marketing | SEO | Design | Internet Development ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359128 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: ColdFusion / authorize.net question
On 8/18/2014 12:36 AM, Eric Bourland wrote: > Has anyone here tried out the ColdFusion SIM* sample code from authorize.net? > I A version of the below has been working great for me. I use it as a include on my form processing page that also records the appropriate data to the customers record in the database (NOT the credit card info! NEVER do this!) https://secure.authorize.net/gateway/transact.dll"; method="post"> ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359127 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: ColdFusion / authorize.net question
Eric, looking at your sample form, you are never populating the hidden x_last_name field with the value from the LastName field. Also, your LastName field is outside of the tags. You need to use javascript to populate the x_last_name field with the value of LastName when someone clicks the submit button, prior to actually submitting the form. An easier option would be to just rename your LastName field to x_last_name and not have to deal with the javascript at all. On Mon, Aug 18, 2014 at 7:13 AM, Eric Bourland wrote: > > Dear .jonah, > > Good morning. Thank you so much. > > The code is below. The page is set up here: http://nnvawi.org/sample.cfm > > You can try it out and see that there is a blank value for field Last Name > in the authorize form. > > I have tried to follow the sample code given by authorize.net. > > Thank you very much for any advice you can give me, and for your time. > > best from Eric > > Code: > > > > > >"http://www.w3.org/TR/html4/loose.dtd";> > > > Sample SIM Implementation > > > > > > > > > > > > > > > > > > > > > > > https://secure.authorize.net/gateway/transact.dll";> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > DateConvert('local2UTC', Now())) > > > > key="#transactionKey#"> > > > > > > Amount: #amount# > Description: #description# > Enter Last Name: size="20" /> > > > > > > > > > > > > > > > > > /> > > > > > > > > > > > > > > To: cf-talk@houseoffusion.com > > Subject: Re: ColdFusion / authorize.net question > > Date: Sun, 17 Aug 2014 22:59:41 -0700 > > From: jonah@creori.com > > > > > > I don't have much time, but post up a gist of your code or something and > > I'll take a look. Seems like you're just missing a minor detail or are > > having a conceptual issue. > > > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359126 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: ColdFusion / authorize.net question
Dear .jonah, Good morning. Thank you so much. The code is below. The page is set up here: http://nnvawi.org/sample.cfm You can try it out and see that there is a blank value for field Last Name in the authorize form. I have tried to follow the sample code given by authorize.net. Thank you very much for any advice you can give me, and for your time. best from Eric Code: http://www.w3.org/TR/html4/loose.dtd";> Sample SIM Implementation https://secure.authorize.net/gateway/transact.dll";> Amount: #amount# Description: #description# Enter Last Name: > To: cf-talk@houseoffusion.com > Subject: Re: ColdFusion / authorize.net question > Date: Sun, 17 Aug 2014 22:59:41 -0700 > From: jonah@creori.com > > > I don't have much time, but post up a gist of your code or something and > I'll take a look. Seems like you're just missing a minor detail or are > having a conceptual issue. > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359125 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm