Re: New Round of Exploits going on
Unfortunately Andrew things are never that simple. For every customer like yourself who wants this turned off, there will be 100 customers who want it turned on. Most people do not know about or care about the security side of hosting, and just want everything enabled which makes their life easier. So as soon as they hear the word disabled, their initial response will be things like. 1) Our previous host did not do this 2) Then we will have to look for another host Many hosts are i'm sure simply giving in to the demands of the majority of their customers and providing them with the services they want even though they are insecure. I regularly explain to customers/developers why cfexecute is disabled, by they do not have read/write access to the entire server, why createobject(java) is disabled by default, and in in general why things have to be locked down on a shared server. We do however stick to our main security policies, so our servers are more secure than most, but this of course comes at a cost as many customers simply will not accept such restrictions and would rather go and find an insecure host instead. At the end of the day If you want security and control over your hosting environment the solution is simple, DO NOT USE SHARED HOSTING. On Mon, Feb 11, 2013 at 5:32 AM, Andrew Scott andr...@andyscott.id.auwrote: One thing I hate about some hosting companies is that they have Robust Exceptions switched on, but what concerns me even more is that they don't care that this is a security risk... If your hosting company is one of them, get in their ears about having it switched off. If they refuse then its time for a change. -- Russ Michaels www.bluethunderinternet.com : Business hosting services solutions www.cfmldeveloper.com: ColdFusion developer community www.michaels.me.uk : my blog www.cfsearch.com : ColdFusion search engine ** *skype me* : russmichaels ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354448 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Round of Exploits going on
Yeah I guess, but that is why there are log files so there is really no excuse. But how cost efficient would it be to just move those people over to their own server so they can effect themselves? And I would bet that it is these people who also turn off UAC on Windows and get all types of infections and could very well be the ones ftping up infected files to begin with. Russ, I hear you but then maybe they are better of else where if they can't understand the implications. -- Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Mon, Feb 11, 2013 at 9:15 PM, Russ Michaels r...@michaels.me.uk wrote: Unfortunately Andrew things are never that simple. For every customer like yourself who wants this turned off, there will be 100 customers who want it turned on. Most people do not know about or care about the security side of hosting, and just want everything enabled which makes their life easier. So as soon as they hear the word disabled, their initial response will be things like. 1) Our previous host did not do this 2) Then we will have to look for another host Many hosts are i'm sure simply giving in to the demands of the majority of their customers and providing them with the services they want even though they are insecure. I regularly explain to customers/developers why cfexecute is disabled, by they do not have read/write access to the entire server, why createobject(java) is disabled by default, and in in general why things have to be locked down on a shared server. We do however stick to our main security policies, so our servers are more secure than most, but this of course comes at a cost as many customers simply will not accept such restrictions and would rather go and find an insecure host instead. At the end of the day If you want security and control over your hosting environment the solution is simple, DO NOT USE SHARED HOSTING. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354449 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Round of Exploits going on
unfortunately no host can afford to tell all their customers your better off elsewhere. It would not be cost efficient at all to give a shared hosting customer their own server for the same price, they would lose money, I doubt the cost would even be remotely covered. Both of hose solutions would put any host out of business very quickly. On Mon, Feb 11, 2013 at 10:37 AM, Andrew Scott andr...@andyscott.id.auwrote: Yeah I guess, but that is why there are log files so there is really no excuse. But how cost efficient would it be to just move those people over to their own server so they can effect themselves? And I would bet that it is these people who also turn off UAC on Windows and get all types of infections and could very well be the ones ftping up infected files to begin with. Russ, I hear you but then maybe they are better of else where if they can't understand the implications. -- Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Mon, Feb 11, 2013 at 9:15 PM, Russ Michaels r...@michaels.me.uk wrote: Unfortunately Andrew things are never that simple. For every customer like yourself who wants this turned off, there will be 100 customers who want it turned on. Most people do not know about or care about the security side of hosting, and just want everything enabled which makes their life easier. So as soon as they hear the word disabled, their initial response will be things like. 1) Our previous host did not do this 2) Then we will have to look for another host Many hosts are i'm sure simply giving in to the demands of the majority of their customers and providing them with the services they want even though they are insecure. I regularly explain to customers/developers why cfexecute is disabled, by they do not have read/write access to the entire server, why createobject(java) is disabled by default, and in in general why things have to be locked down on a shared server. We do however stick to our main security policies, so our servers are more secure than most, but this of course comes at a cost as many customers simply will not accept such restrictions and would rather go and find an insecure host instead. At the end of the day If you want security and control over your hosting environment the solution is simple, DO NOT USE SHARED HOSTING. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354450 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Problem with Hackers on Donation form through Authorize.net
Hi, guys... I'm been running my first eCommerce setup with a donation page/form using Authorize.net. Things have been running fine, excepts for spammers using the donation form to find legitmate CC numbers so they could abuse the card in other ways. I've assumed, up to this point, that the spammers are bots, not humans. The spam attempts happened every 15-30 seconds for about an hour, then they stop. Very few are able to successfully process a transaction, but I'm trying to stop the form from being submitted. I've tried honey-pot traps, then moved to CF's captcha (at its default level of difficulty). So far, the spam attempts keep coming and my client is wondering if they need to get someone (besides me) to handle the donations since I can't seem to stop the spam. I realize that if someone is hiring cheap human labor for $1 per day to sit and enter form info, that I can't stop that, but if it is bots doing the spamming, will making CF captcha more difficult to read have a good chance of stopping the bots, or do I need to get with reCaptcha. I like using CF's solution, because I can code it myself. But if it doesn't work... Thoughts on this? I've got to get a solution working. Thanks for any feedback! Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354451 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Round of Exploits going on
Russ, I never meant their own server. I meant put all customers who want the robust onto the same sever. But I did raise an enhancement with Adobe, where my suggestion is to have robust exceptions of by default and not be able to enable or disable from the CF admin. However if the customer wants to exploit their own site then they have the option to turn that level of exception on in the Application.cfc On Tue, Feb 12, 2013 at 3:05 AM, Russ Michaels r...@michaels.me.uk wrote: unfortunately no host can afford to tell all their customers your better off elsewhere. It would not be cost efficient at all to give a shared hosting customer their own server for the same price, they would lose money, I doubt the cost would even be remotely covered. Both of hose solutions would put any host out of business very quickly. On Mon, Feb 11, 2013 at 10:37 AM, Andrew Scott andr...@andyscott.id.au wrote: Yeah I guess, but that is why there are log files so there is really no excuse. But how cost efficient would it be to just move those people over to their own server so they can effect themselves? And I would bet that it is these people who also turn off UAC on Windows and get all types of infections and could very well be the ones ftping up infected files to begin with. Russ, I hear you but then maybe they are better of else where if they can't understand the implications. -- Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Mon, Feb 11, 2013 at 9:15 PM, Russ Michaels r...@michaels.me.uk wrote: Unfortunately Andrew things are never that simple. For every customer like yourself who wants this turned off, there will be 100 customers who want it turned on. Most people do not know about or care about the security side of hosting, and just want everything enabled which makes their life easier. So as soon as they hear the word disabled, their initial response will be things like. 1) Our previous host did not do this 2) Then we will have to look for another host Many hosts are i'm sure simply giving in to the demands of the majority of their customers and providing them with the services they want even though they are insecure. I regularly explain to customers/developers why cfexecute is disabled, by they do not have read/write access to the entire server, why createobject(java) is disabled by default, and in in general why things have to be locked down on a shared server. We do however stick to our main security policies, so our servers are more secure than most, but this of course comes at a cost as many customers simply will not accept such restrictions and would rather go and find an insecure host instead. At the end of the day If you want security and control over your hosting environment the solution is simple, DO NOT USE SHARED HOSTING. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354452 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Hackers on Donation form through Authorize.net
I realize that if someone is hiring cheap human labor for $1 per day to sit and enter form info, that I can't stop that, but if it is bots doing the spamming, will making CF captcha more difficult to read have a good chance of stopping the bots, or do I need to get with reCaptcha. I like using CF's solution, because I can code it myself. But if it doesn't work... I recommend you use this instead of any CAPTCHA: http://cfformprotect.riaforge.org/ Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354453 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Problem with Hackers on Donation form through Authorize.net
Thanks for the recommendation, Dave. It seems like an all-in-one approach, like CFFormProtect, might be the only way to beat this thing! I'll go check it out... Rick -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: Monday, February 11, 2013 11:30 AM To: cf-talk Subject: Re: Problem with Hackers on Donation form through Authorize.net I realize that if someone is hiring cheap human labor for $1 per day to sit and enter form info, that I can't stop that, but if it is bots doing the spamming, will making CF captcha more difficult to read have a good chance of stopping the bots, or do I need to get with reCaptcha. I like using CF's solution, because I can code it myself. But if it doesn't work... I recommend you use this instead of any CAPTCHA: http://cfformprotect.riaforge.org/ Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354454 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Hackers on Donation form through Authorize.net
As an FYI, my blog never had a lot of spam, but it was pretty regular. When I started using CFFP, it dropped dramatically. I can't even remember my last spam comment. On Mon, Feb 11, 2013 at 10:43 AM, Rick Faircloth r...@whitestonemedia.comwrote: Thanks for the recommendation, Dave. It seems like an all-in-one approach, like CFFormProtect, might be the only way to beat this thing! I'll go check it out... Rick -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: Monday, February 11, 2013 11:30 AM To: cf-talk Subject: Re: Problem with Hackers on Donation form through Authorize.net I realize that if someone is hiring cheap human labor for $1 per day to sit and enter form info, that I can't stop that, but if it is bots doing the spamming, will making CF captcha more difficult to read have a good chance of stopping the bots, or do I need to get with reCaptcha. I like using CF's solution, because I can code it myself. But if it doesn't work... I recommend you use this instead of any CAPTCHA: http://cfformprotect.riaforge.org/ Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354455 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Round of Exploits going on
I would not think that is a cost effective solution either as there is such a small number of customers who would request to be on a secure server. We offer something like that called semi-dedicated, but it is more expensive. If CF had a web admin like Railo, it would solve all those type of issues really. On Mon, Feb 11, 2013 at 4:21 PM, Andrew Scott andr...@andyscott.id.auwrote: Russ, I never meant their own server. I meant put all customers who want the robust onto the same sever. But I did raise an enhancement with Adobe, where my suggestion is to have robust exceptions of by default and not be able to enable or disable from the CF admin. However if the customer wants to exploit their own site then they have the option to turn that level of exception on in the Application.cfc On Tue, Feb 12, 2013 at 3:05 AM, Russ Michaels r...@michaels.me.uk wrote: unfortunately no host can afford to tell all their customers your better off elsewhere. It would not be cost efficient at all to give a shared hosting customer their own server for the same price, they would lose money, I doubt the cost would even be remotely covered. Both of hose solutions would put any host out of business very quickly. On Mon, Feb 11, 2013 at 10:37 AM, Andrew Scott andr...@andyscott.id.au wrote: Yeah I guess, but that is why there are log files so there is really no excuse. But how cost efficient would it be to just move those people over to their own server so they can effect themselves? And I would bet that it is these people who also turn off UAC on Windows and get all types of infections and could very well be the ones ftping up infected files to begin with. Russ, I hear you but then maybe they are better of else where if they can't understand the implications. -- Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Mon, Feb 11, 2013 at 9:15 PM, Russ Michaels r...@michaels.me.uk wrote: Unfortunately Andrew things are never that simple. For every customer like yourself who wants this turned off, there will be 100 customers who want it turned on. Most people do not know about or care about the security side of hosting, and just want everything enabled which makes their life easier. So as soon as they hear the word disabled, their initial response will be things like. 1) Our previous host did not do this 2) Then we will have to look for another host Many hosts are i'm sure simply giving in to the demands of the majority of their customers and providing them with the services they want even though they are insecure. I regularly explain to customers/developers why cfexecute is disabled, by they do not have read/write access to the entire server, why createobject(java) is disabled by default, and in in general why things have to be locked down on a shared server. We do however stick to our main security policies, so our servers are more secure than most, but this of course comes at a cost as many customers simply will not accept such restrictions and would rather go and find an insecure host instead. At the end of the day If you want security and control over your hosting environment the solution is simple, DO NOT USE SHARED HOSTING. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354456 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Round of Exploits going on
IF, and it's a large IF, but IF you're willing to maintain your own machine than a slicehost with an open source CFML engine isn't all that much more expensive than a shared hosting plan. For $20 USD a month you can have a linode running whatever flavor of headless linux that you want. Throw on Webmin/Virtualmin to handle site creation and updates. Throw on Railo on Tomcat. MySQL for DB, apache to serve web traffic. Use IPTables to lockdown all but SSH/HTTP/HTTPS/FTP/DNS. Virtualmin can be set to automatically check for package updates and deploy them on a set schedule. It can backup to an S3 bucket. Railo can be set to update automatically as well. Everything that is running is basically free, it's just going to cost you in time if you're not familiar with it. Now, the cost in time for setup? That's going to be higher than just going with a shared host, but I personally found that my time is far offset against dealing with the latest issues that have come up with vulnerabilities. NOTE: this doesn't address PCI compliance as I've not had to go down that route. In that instance shared may still yet be cheaper, but given the prices I've seen on shared hosts that are PCI compliant, I still think it'd be cheaper to roll your own. But then, I'm able to do the admin and dev side of things. -- Matthew Williams Geodesic GraFX www.geodesicgrafx.com/blog twitter.com/ophbalance ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354457 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Round of Exploits going on
Les Mizzell wrote: So, anybody know what this is doing? Allaire Cold Fusion Template Something similar came up on StackOverflow last week (possibly the same exploit). That guy said the old AB Positive Encrypt and Decrypt utility was able to decrypt the file: http://www.adobe.com/cfusion/exchange/index.cfm?event=extensionDetailextid=1007043 -Leigh ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354458 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Problem with Hackers on Donation form through Authorize.net
Thanks for the feedback, Ray, Dave... Does CFFormProtect actually submit a form? I haven't parsed through the code, yet, but I'm trying to determine if it just runs some tests for validation or does it continue on to submit the form. The form and processing I've code is quite extensive and involves jQuery on the client side for validation, then CF validation in a CFC, then, if all's well, I used cfhttps to submit the form to Authorize.net. I've got to figure out just how CFFormProtect fits into this equation. I've implemented it per the instructions, but I'm not sure just what type of processing environment it's supposed to fit into. I did get one successful transaction that I submitted to process with CFFormProtect implemented, but the second on didn't pass CFFormProtect and I didn't get a form response (success/failure) back from the AJAX submission function. If anyone cares to look, the form is at http://uso.whitestonemedia.com/modules/donate/donation-form.cfm That's the development site. Rick -Original Message- From: Raymond Camden [mailto:raymondcam...@gmail.com] Sent: Monday, February 11, 2013 11:46 AM To: cf-talk Subject: Re: Problem with Hackers on Donation form through Authorize.net As an FYI, my blog never had a lot of spam, but it was pretty regular. When I started using CFFP, it dropped dramatically. I can't even remember my last spam comment. On Mon, Feb 11, 2013 at 10:43 AM, Rick Faircloth r...@whitestonemedia.comwrote: Thanks for the recommendation, Dave. It seems like an all-in-one approach, like CFFormProtect, might be the only way to beat this thing! I'll go check it out... Rick -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: Monday, February 11, 2013 11:30 AM To: cf-talk Subject: Re: Problem with Hackers on Donation form through Authorize.net I realize that if someone is hiring cheap human labor for $1 per day to sit and enter form info, that I can't stop that, but if it is bots doing the spamming, will making CF captcha more difficult to read have a good chance of stopping the bots, or do I need to get with reCaptcha. I like using CF's solution, because I can code it myself. But if it doesn't work... I recommend you use this instead of any CAPTCHA: http://cfformprotect.riaforge.org/ Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354459 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Hackers on Donation form through Authorize.net
No, it returns a pass/fail type response.In your example, I'd probably add it after you do client side validation and CF validation, but before the hit to Authorize.net. On Mon, Feb 11, 2013 at 12:48 PM, Rick Faircloth r...@whitestonemedia.comwrote: Thanks for the feedback, Ray, Dave... Does CFFormProtect actually submit a form? I haven't parsed through the code, yet, but I'm trying to determine if it just runs some tests for validation or does it continue on to submit the form. The form and processing I've code is quite extensive and involves jQuery on the client side for validation, then CF validation in a CFC, then, if all's well, I used cfhttps to submit the form to Authorize.net. I've got to figure out just how CFFormProtect fits into this equation. I've implemented it per the instructions, but I'm not sure just what type of processing environment it's supposed to fit into. I did get one successful transaction that I submitted to process with CFFormProtect implemented, but the second on didn't pass CFFormProtect and I didn't get a form response (success/failure) back from the AJAX submission function. If anyone cares to look, the form is at http://uso.whitestonemedia.com/modules/donate/donation-form.cfm That's the development site. Rick -Original Message- From: Raymond Camden [mailto:raymondcam...@gmail.com] Sent: Monday, February 11, 2013 11:46 AM To: cf-talk Subject: Re: Problem with Hackers on Donation form through Authorize.net As an FYI, my blog never had a lot of spam, but it was pretty regular. When I started using CFFP, it dropped dramatically. I can't even remember my last spam comment. On Mon, Feb 11, 2013 at 10:43 AM, Rick Faircloth r...@whitestonemedia.comwrote: Thanks for the recommendation, Dave. It seems like an all-in-one approach, like CFFormProtect, might be the only way to beat this thing! I'll go check it out... Rick -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: Monday, February 11, 2013 11:30 AM To: cf-talk Subject: Re: Problem with Hackers on Donation form through Authorize.net I realize that if someone is hiring cheap human labor for $1 per day to sit and enter form info, that I can't stop that, but if it is bots doing the spamming, will making CF captcha more difficult to read have a good chance of stopping the bots, or do I need to get with reCaptcha. I like using CF's solution, because I can code it myself. But if it doesn't work... I recommend you use this instead of any CAPTCHA: http://cfformprotect.riaforge.org/ Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354460 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Problem with Hackers on Donation form through Authorize.net
After more unsuccessful testing, I'm assuming that the form button at the end of the form needs to be an actual button with a type of submit to work with CFFormProtect? If so, this won't work because I don't use an actual button with a type of submit. The submit button for my form is just a regular button that triggers an AJAX function that sends the data to a CFC for further processing and then submission in the CFC to Authorize.net. If I put: cfset Cffp = CreateObject(component,cfformprotect.cffpVerify).init() / cfif Cffp.testSubmission(form) cfmail to = r...@whitestonemedia.com from = r...@whitestonemedia.com subject = Form Passed CFFormProtect Text! Form passed CFFormProtect test! /cfmail [ send data to authorize.net using arguments passed to method... ] [ send acknowledgement emails to donors, etc ] cfelse cfset authorizeStruct.FORMPOSTSTATUS = 'invalid' cfset authorizeStruct.TRANSACTIONSTATUS = 'Transaction not processed...' cfreturn authorizeStruct / /cfif Even when I know the form values are correct, I get the failed notices at the end. So somehow the form values aren't passing the tests for CFFormProtect. I see there's mention of logFailure() and 'logFailedTests' and logFile' in the notes, but I haven't figured out where to use those. Thoughts? Rick -Original Message- From: Raymond Camden [mailto:raymondcam...@gmail.com] Sent: Monday, February 11, 2013 2:02 PM To: cf-talk Subject: Re: Problem with Hackers on Donation form through Authorize.net No, it returns a pass/fail type response.In your example, I'd probably add it after you do client side validation and CF validation, but before the hit to Authorize.net. On Mon, Feb 11, 2013 at 12:48 PM, Rick Faircloth r...@whitestonemedia.comwrote: Thanks for the feedback, Ray, Dave... Does CFFormProtect actually submit a form? I haven't parsed through the code, yet, but I'm trying to determine if it just runs some tests for validation or does it continue on to submit the form. The form and processing I've code is quite extensive and involves jQuery on the client side for validation, then CF validation in a CFC, then, if all's well, I used cfhttps to submit the form to Authorize.net. I've got to figure out just how CFFormProtect fits into this equation. I've implemented it per the instructions, but I'm not sure just what type of processing environment it's supposed to fit into. I did get one successful transaction that I submitted to process with CFFormProtect implemented, but the second on didn't pass CFFormProtect and I didn't get a form response (success/failure) back from the AJAX submission function. If anyone cares to look, the form is at http://uso.whitestonemedia.com/modules/donate/donation-form.cfm That's the development site. Rick -Original Message- From: Raymond Camden [mailto:raymondcam...@gmail.com] Sent: Monday, February 11, 2013 11:46 AM To: cf-talk Subject: Re: Problem with Hackers on Donation form through Authorize.net As an FYI, my blog never had a lot of spam, but it was pretty regular. When I started using CFFP, it dropped dramatically. I can't even remember my last spam comment. On Mon, Feb 11, 2013 at 10:43 AM, Rick Faircloth r...@whitestonemedia.comwrote: Thanks for the recommendation, Dave. It seems like an all-in-one approach, like CFFormProtect, might be the only way to beat this thing! I'll go check it out... Rick -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: Monday, February 11, 2013 11:30 AM To: cf-talk Subject: Re: Problem with Hackers on Donation form through Authorize.net I realize that if someone is hiring cheap human labor for $1 per day to sit and enter form info, that I can't stop that, but if it is bots doing the spamming, will making CF captcha more difficult to read have a good chance of stopping the bots, or do I need to get with reCaptcha. I like using CF's solution, because I can code it myself. But if it doesn't work... I recommend you use this instead of any CAPTCHA: http://cfformprotect.riaforge.org/ Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354461 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Hackers on Donation form through Authorize.net
On Mon, Feb 11, 2013 at 1:45 PM, Rick Faircloth r...@whitestonemedia.comwrote: After more unsuccessful testing, I'm assuming that the form button at the end of the form needs to be an actual button with a type of submit to work with CFFormProtect? Not as far as I know. I'm a bit rusty on the API, but here is how BlogCFC uses it: cfif application.usecfp and not isLoggedIn() cfset cffp = createObject(component,cfformprotect.cffpVerify).init() / !--- now we can test the form submission --- cfif not cffp.testSubmission(form) cfset arrayAppend(aErrors, Your comment has been flagged as spam.) / /cfif /cfif If for some reason your Form struct wasn't, well, the Form, but it was somewhere else, you would just pass that data in. I *believe* it does look at somethings in terms of a form post, but it isn't tied to just that. If so, this won't work because I don't use an actual button with a type of submit. The submit button for my form is just a regular button that triggers an AJAX function that sends the data to a CFC for further processing and then submission in the CFC to Authorize.net. If I put: cfset Cffp = CreateObject(component,cfformprotect.cffpVerify).init() / cfif Cffp.testSubmission(form) Even when I know the form values are correct, I get the failed notices at the end. So somehow the form values aren't passing the tests for CFFormProtect. I see there's mention of logFailure() and 'logFailedTests' and logFile' in the notes, but I haven't figured out where to use those. I'd figure it out. ;) Also, have you tried contacting the project admin? http://cfformprotect.riaforge.org/ -- === Raymond Camden, Adobe Developer Evangelist Email : raymondcam...@gmail.com Blog : www.raymondcamden.com Twitter: cfjedimaster ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354462 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Problem with Hackers on Donation form through Authorize.net
I have just gone through this... A big problem is that the owner complains and the credit card company charges you a penalty and if many get through they can dump you. At first, I banned the IP address when someone tried 3 times unsuccessfuly. That worked for about a day then they would come back and try again, but with different IPs. Must be real people and not a bot. Then I tried something different... if someone tries 3 times without success, I flag the IP address and then when they submit a donation, I return the page that says it failed (and I do not even send it on to the credit card company). I also flag the entire subnet to make it harder to get around. Most are from south america and china.. should probably reject any non north american ip.. A few people have called me and told me they tried to make a donation and they get rejected for no apparent reason.. in which case I take the donation by phone. I went about a month without 1 complaint so it might be working! ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354463 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Problem with Hackers on Donation form through Authorize.net
Thanks for the info, Al... It is a royal pain trying to deal with these hackers. I might just try a combination of two things: 1) a honey pot to catch the humans when it's empty 2) a captcha for the bots who, supposedly, can't read them Wonder if that would work? -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Monday, February 11, 2013 4:32 PM To: cf-talk Subject: RE: Problem with Hackers on Donation form through Authorize.net I have just gone through this... A big problem is that the owner complains and the credit card company charges you a penalty and if many get through they can dump you. At first, I banned the IP address when someone tried 3 times unsuccessfuly. That worked for about a day then they would come back and try again, but with different IPs. Must be real people and not a bot. Then I tried something different... if someone tries 3 times without success, I flag the IP address and then when they submit a donation, I return the page that says it failed (and I do not even send it on to the credit card company). I also flag the entire subnet to make it harder to get around. Most are from south america and china.. should probably reject any non north american ip.. A few people have called me and told me they tried to make a donation and they get rejected for no apparent reason.. in which case I take the donation by phone. I went about a month without 1 complaint so it might be working! ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354464 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Hackers on Donation form through Authorize.net
One site of mine for a dance company used to get a ton of spam through contact forms. Everybody hated CAPTCHA, so I put a simple question with radio button choices: A cow goes? a. quack b. woof c. moo d. chirp VERY low tech, but believe it or not, we've not gotten a single piece of bot spam since! Wouldn't advise this for most uses though... ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354465 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Problem with Hackers on Donation form through Authorize.net
Boy was that a stupid, not-thought-out approach! I was so focused on separating the spamming humans from the spamming bots, I came up with a solution that wouldn't let human or bot submit a form, whether the human was a legitimate donor, or not! Duh! (It's been a long day... time to go to Outback!) Rick -Original Message- From: Rick Faircloth [mailto:r...@whitestonemedia.com] Sent: Monday, February 11, 2013 4:40 PM To: cf-talk Subject: RE: Problem with Hackers on Donation form through Authorize.net Thanks for the info, Al... It is a royal pain trying to deal with these hackers. I might just try a combination of two things: 1) a honey pot to catch the humans when it's empty 2) a captcha for the bots who, supposedly, can't read them Wonder if that would work? -Original Message- From: Al Musella, DPM [mailto:muse...@virtualtrials.com] Sent: Monday, February 11, 2013 4:32 PM To: cf-talk Subject: RE: Problem with Hackers on Donation form through Authorize.net I have just gone through this... A big problem is that the owner complains and the credit card company charges you a penalty and if many get through they can dump you. At first, I banned the IP address when someone tried 3 times unsuccessfuly. That worked for about a day then they would come back and try again, but with different IPs. Must be real people and not a bot. Then I tried something different... if someone tries 3 times without success, I flag the IP address and then when they submit a donation, I return the page that says it failed (and I do not even send it on to the credit card company). I also flag the entire subnet to make it harder to get around. Most are from south america and china.. should probably reject any non north american ip.. A few people have called me and told me they tried to make a donation and they get rejected for no apparent reason.. in which case I take the donation by phone. I went about a month without 1 complaint so it might be working! ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354466 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
CFEXECTE with multiple arguments
Hello, I can't get OpenSSL to run with CFEXECUTE. I've tried different attempts at the following but it doesn't work: cfexecute name = C:\Program Files (x86)\GnuWin32\bin\openssl arguments = aes-256-cbc -a -salt -in C:\Users\Dev2\Documents\My Stuff\OpenSSL\secrets.txt -out C:\Users\Dev2\Documents\My Stuff\OpenSSL\secrets2.txt variable = result timeout = 5 /cfexecute cfdump var=#result# But then I'll run CFEXECUTE with OpenSSL, and just one argument, version for example, and it runs fine. Is there a way to do CFEXECUTE with multiple arguments? Pete ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354467 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Round of Exploits going on
Well I guess the ticket I raised is too late One can already do this cfset this.enablerobustexception = true / On Tue, Feb 12, 2013 at 3:53 AM, Leigh cfsearch...@yahoo.com wrote: Les Mizzell wrote: So, anybody know what this is doing? Allaire Cold Fusion Template Something similar came up on StackOverflow last week (possibly the same exploit). That guy said the old AB Positive Encrypt and Decrypt utility was able to decrypt the file: http://www.adobe.com/cfusion/exchange/index.cfm?event=extensionDetailextid=1007043 -Leigh ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354468 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Hackers on Donation form through Authorize.net
I came across an interesting way to get the country from the IP address.. http://www.mximize.com/getting-country-by-ip-based-on-geolite I might set this up and block non North American IPs... At 04:43 PM 2/11/2013, Les Mizzell wrote: One site of mine for a dance company used to get a ton of spam through contact forms. Everybody hated CAPTCHA, so I put a simple question with radio button choices: A cow goes? a. quack b. woof c. moo d. chirp VERY low tech, but believe it or not, we've not gotten a single piece of bot spam since! Wouldn't advise this for most uses though... ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354469 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Round of Exploits going on
(apologies for the length) Russ, I can tell by your comments that you either have dealt with a lot of hosts or have worked or owned one. Well said. Having worked in the Hosting space for more than 10 years now, I can safely say there is absolutely no 100% way to prevent these exploits on any platform. That is not to say there are not more secure options than shared hosting, but even at that you may need the above average skill set. I can make an argument that shared CF hosting is probably more secure for half the people using Coldfusion out there. How and why? Well most probably have no one actively monitoring their servers. Not only do we have ourselves and tools looking at the servers, but our customers who make us instantly aware of an issue. Even a subpar host probably has a better lock down on CF than many non host managed CF users. How many can say they don't have root kits (or even know what that is) running on their server? Probably a lot on this list, but the average vps, cloud or dedicated user out there, ummm probably not. Example, there was a recent issue we had with hidden elements being injected to files on a shared server. This was actually a customer running Wordpress. How many out there would have found that and how quickly, say on a dedicated server with a site that only gets updated once a month. The best you can do is be vigilant, do your patching and homework and when the next compromise comes, take it on the cheek, mitigate, and take what you learned and try to improve for the next go around. And if you are a hosting customer, it's up to you to be aware and educated on what a host should and shouldn't be doing (aka this list). And then decide if it's time to move on or acceptable to you. Of course I'm speaking in general terms, as this is the case with not only CF, but all platforms. How many times a week do we hear about a drupal or Wordpress issue, just about as often as CF, but if not more. Quick fact, we have more dedicated, vps, cloud (vms) revenue effected by compromises than our shared customers. But let's not all forget the real problem here. It's not cf users, the host or Adobe's fault. It's the dirt bags out there who make escalations happen that result in the 3 am phone calls. Byron Mann Lead Engineer Architect HostMySite.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354470 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: CFEXECTE with multiple arguments
Often found it easier to put thing like this in a .bat file and run that with cf execute. Sometimes using the DOS 8.3 convention for the path to eliminate the spaces in the folder names makes the quotes less of a hassle too. Byron Mann Lead Engineer Architect HostMySite.com On Feb 11, 2013 6:18 PM, Pete Swanson peteswanso...@gmail.com wrote: Hello, I can't get OpenSSL to run with CFEXECUTE. I've tried different attempts at the following but it doesn't work: cfexecute name = C:\Program Files (x86)\GnuWin32\bin\openssl arguments = aes-256-cbc -a -salt -in C:\Users\Dev2\Documents\My Stuff\OpenSSL\secrets.txt -out C:\Users\Dev2\Documents\My Stuff\OpenSSL\secrets2.txt variable = result timeout = 5 /cfexecute cfdump var=#result# But then I'll run CFEXECUTE with OpenSSL, and just one argument, version for example, and it runs fine. Is there a way to do CFEXECUTE with multiple arguments? Pete ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354471 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Hackers on Donation form through Authorize.net
A fairly inexpensive and easy to implement fraud screening service is maxmind minfraud. It's something like 0.005 per transaction methinks. Another method I didn't see in the thread was doing an email confirmation before performing the cc transaction. Like send an email to the user with a unique ID the user must click to verify a legit email address was used. Can still be bot'd but requires a bit more work on their part, which might be enough discourage since there are a lot of other places for them to go do their dirtiness. Byron Mann Lead Engineer Architect HostMySite.com On Feb 11, 2013 11:13 AM, Rick Faircloth r...@whitestonemedia.com wrote: Hi, guys... I'm been running my first eCommerce setup with a donation page/form using Authorize.net. Things have been running fine, excepts for spammers using the donation form to find legitmate CC numbers so they could abuse the card in other ways. I've assumed, up to this point, that the spammers are bots, not humans. The spam attempts happened every 15-30 seconds for about an hour, then they stop. Very few are able to successfully process a transaction, but I'm trying to stop the form from being submitted. I've tried honey-pot traps, then moved to CF's captcha (at its default level of difficulty). So far, the spam attempts keep coming and my client is wondering if they need to get someone (besides me) to handle the donations since I can't seem to stop the spam. I realize that if someone is hiring cheap human labor for $1 per day to sit and enter form info, that I can't stop that, but if it is bots doing the spamming, will making CF captcha more difficult to read have a good chance of stopping the bots, or do I need to get with reCaptcha. I like using CF's solution, because I can code it myself. But if it doesn't work... Thoughts on this? I've got to get a solution working. Thanks for any feedback! Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354472 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Problem with Hackers on Donation form through Authorize.net
On 2/12/2013 12:06 PM, Al Musella, DPM wrote: I came across an interesting way to get the country from the IP address.. http://www.mximize.com/getting-country-by-ip-based-on-geolite I might set this up and block non North American IPs... i would check w/your client first. not everybody outside NA is bent on conducting fraud. and will you exclude users from Mexico, Puerto Rico, etc.? and keep in mind that IP-to-country conversion isn't fool-proof as it is, never-mind when folks actively try to defeat it. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354473 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm