I don't have much time, but post up a gist of your code or something and
I'll take a look. Seems like you're just missing a minor detail or are
having a conceptual issue.
On 8/17/14, 9:36 PM, Eric Bourland wrote:
Has anyone here tried out the ColdFusion SIM* sample code from authorize.net?
Dear .jonah,
Good morning. Thank you so much.
The code is below. The page is set up here: http://nnvawi.org/sample.cfm
You can try it out and see that there is a blank value for field Last Name in
the authorize form.
I have tried to follow the sample code given by authorize.net.
Thank you
Eric, looking at your sample form, you are never populating the hidden
x_last_name field with the value from the LastName field. Also, your
LastName field is outside of the form tags. You need to use javascript to
populate the x_last_name field with the value of LastName when someone
clicks the
On 8/18/2014 12:36 AM, Eric Bourland wrote:
Has anyone here tried out the ColdFusion SIM* sample code from authorize.net?
I
A version of the below has been working great for me. I use it as a
include on my form processing page that also records the appropriate
data to the customers record
Les, your implementation is using the Direct Post Method (DPM), not the
Server Integration Method (SIM) that Eric is trying to implement.
On Mon, Aug 18, 2014 at 2:52 PM, Les Mizzell lesm...@bellsouth.net wrote:
On 8/18/2014 12:36 AM, Eric Bourland wrote:
Has anyone here tried out the
Hi All -
Recently we've been under a email injection attack where we have unauthorized
emails being sent through our coldfusion application. At this point we are
unsure if it is through an email injection attack or not but if anybody has any
advice on how to figure out where the attack is
Can you explain a bit more what you mean by email injection attack? Do you
mean someone is spamming forms that generate forms email, or is someone using
some application you have to generate spam? Can you provide a slightly better
explanation of what's happening?
Robert Harrison
Director
Hi Robert - Thanks for the reply, yes of course let me explain a bit more.
While checking our sent mail logs, logged by coldfusion, we noticed emails were
being sent out that was not directly sent through our own pages. Spam emails
that were sent to different outside emails.
So we can see
Make sure the cfmail option for logging sent mail is enabled via the
CFAdmin. This will tell you if CF is actually sending the mail. The log
file will be in your CF root under logs. I think it's mailsent.log.
Most likely one of two things.
You have a web form that sends through another
Do you have admin control of this server or is it a shared host? If its a
server you control then its a simple matter to lock down the mail server,
right? Require smtp auth for all senders and then use smtp auth in your
cfmail statements in your code. That would be just step 1 of a hardening
No really good way in CF logs that I know to see the actual file that sent
the CFMail.
Might be able to correlate your web server access logs to the cf mail sent
log with the timestamp.
Most of the time attacks like this will be all at once, so it should be
fairly easy to see in the web logs.
What version of ColdFusion are you currently on and what's your patch
level. I've seen instances where the vulnerability in the AdminAPI is
exploited to upload templates that mass send junk mail. Look for a file
called h.cfm in your CFIDE folder and in your webroot. That is the usual
To try and directly answer your question: I don't believe there are any
logs that nail down what template a bit of mail is sent from. mailsent.log
only says, for example:
Information,scheduler-3,01/03/14,18:32:18,,Mail: 'Subject Goes
Here' From:'whoe...@wherever.com' To:'vic...@spamworld.com'
There are a bunch of things you can do depending on exactly how this is
happening. Using STMP authentication is one... but if you think your forms are
being spoofed, you may be able to use cgi vars to get some info.
You can use CGI referrer to see if the request is coming from the correct
The server itself is our own dedicated webserver, and as for our email server
we're using Microsoft 365 so I do not think the compromise is at that level.
I may implement the smtp auth piece to at least mitigate the issue as of now.
Thanks for the suggestion!
Do you have admin control of
Hey Jeff -
This is our current coldfusion setup:
Server Product ColdFusion
Version 8,0,1,195765
Update Level /C:/ColdFusion8/lib/updates/hf801-3.jar
I took a look for the h.cfm file under the CDIFE root and the webroot and did
a search as well for this file but did not see
The easiest thing to do is to scan your site code to see what pages contain
the cfmail tag. The next thing is to look at your web server logs to see
who is requesting those pages. If you allow for the site visitor to specify
who the mail is being sent to, then you are opening yourself up to
I currently have logging for sent mail through cfadmin so that is really the
way I found out that email is being sent outbound somehow.
I do have captcha implementation on my forms, but it's been a bit of time since
I initially implemented this, so I was also considering the possibility that
Regarding the 'h.cfm' issue, go to the bathroom first (your upholstery will
thank me) and THEN sit down and read this.
http://www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat
and the two follow-on blog entries linked at page bottom. This did quite a
job of rocking many
Hey Dean -
I'll be looking at my webserver logs to see if I can see any correlation with
my mail logs. But to respond to your thought, none of the code so far allows
the user to specify who they're sending to. The forms that send email are at
the very basic level just notification to our
if sending by CF but not using your code that could mean they are running
cf code you didn't write.
--
--m@Robertson--
Janitor, The Robertson Team
mysecretbase.com
~|
Order the Adobe Coldfusion Anthology now!
To consolidate a few thoughts here -
1) I will be looking to webserver logs and mail sent logs to see if I see any
points of contact of when/where the attacks are coming from. If I can isolate
the problem to it actually being a page attack (ie. email inject) vs a
serverside compromise (ie.
Garry
The hack files are not always called h.cfm. In fact that was just one named
used by one attacker. there was also i.cfm by another attacker. Others have
used other file names and/or other techniques as described in this blog post
that Mark Kruger wrote that describes an exploit method I
Dean and Les,
Thank you for these helpful remarks. Dean, I think I did implement, in another
draft of this form, the idea that you suggested -- but I will check that and
confirm. I've been working on this task stubbornly for three days and have many
versions of this code. I will check my
http://nnvawi.org/sample2.cfm
When I use the code, below, then the Last Name field in the authorize.net page
gets populated with:
cfoutput/cfoutput
So it looks like something is ... erasing the value of #form.lastname#:
cfset lastname=cfoutput#form.lastname#/cfoutput !--- set value of
I might try
cfset lastname=form.lastname
instead of
cfset lastname=cfoutput#form.lastname#/cfoutput
Eric Bourland ebwebw...@outlook.com wrote:
http://nnvawi.org/sample2.cfm
When I use the code, below, then the Last Name field in the authorize.net
page gets populated with:
Dear Roger,
Thanks for that. However,
cfset lastname=form.lastname !--- set value of lastname from
#form.lastname#---
inserts value form.lastname in the Last Name field in the authorize.net form.
I think I need the outputs. I am also wondering why any value that occurs
between the outputs
cfoutput
cfset lastname=#form.last_name#
/cfoutput
but in order for this to work, you need to have a form field with
name=lastname and you don't appear to have that in the code you
posted.
And I agree with Roger that renaming the field names to the variable
name you need to send is the simpler
...nd obviously I am going to generate a new transaction key since I just
posted mine.
sigh.
***
Eric Bourland
Internet Project Development
Washington DC
kind | creative | reliable
To: cf-talk@houseoffusion.com
Subject: RE: ColdFusion / authorize.net question
Date: Mon,
An easier option would be to just rename your LastName
field to x_last_name and not have to deal with the javascript at all.
Dean, Maureen: I agree that simple is best. So, I dispensed with cfset, and
used this:
!--- Create the HTML form containing necessary SIM post values ---
FORM
You don'tneed the double quotes around form.lastname in a cfset statement.
Eric Bourland ebwebw...@outlook.com wrote:
Dear Roger,
Thanks for that. However,
cfset lastname=form.lastname !--- set value of lastname from
#form.lastname#---
inserts value form.lastname in the Last
You now have two form fields with the same name. You can lose the
hidden field for x_last_name since you now are getting it from the
input.
On Mon, Aug 18, 2014 at 7:21 PM, Eric Bourland ebwebw...@outlook.com wrote:
An easier option would be to just rename your LastName
field to
Maureen, you're my hero. That worked. Dean, Roger, Les -- thank you all very
much.
So -- I need to rename some form fields now. I think I can take it from here.
On the phone with authorize.net right now to change API Login Key and
Transaction ID after posting them here with my code in a
I'd also enlist the help of your hosting provider if server level
troubleshooting is part of your service level agreement. It's usually in
their best interest to squash this type of activity, as it can get their ip
addreses and ranges blacklisted.
Byron Mann
Lead Engineer Architect
Glad to be of help, and don't worry about the boneheadedness. I spent
hours last week trying to debug a similar issue with a form only to
discover I had a minus sign where I needed an equal sign. Stuff
happens.
On Mon, Aug 18, 2014 at 8:05 PM, Eric Bourland ebwebw...@outlook.com wrote:
35 matches
Mail list logo