On Mon, Aug 18, 2014 at 9:56 PM, Garry Tran wrote:
> My first question is - is there a way to trace back to which page cfmail
> is being called from? Are there any logs that I can view that would allow
> us to track down what pages are being hijacked?
>
If I write code where a cfmail tag is cal
I'd also enlist the help of your hosting provider if server level
troubleshooting is part of your service level agreement. It's usually in
their best interest to squash this type of activity, as it can get their ip
addreses and ranges blacklisted.
Byron Mann
Lead Engineer & Architect
HostMySite.c
;
> Original Message
>> From: "G T"
>> Sent: Monday, August 18, 2014 1:13 PM
>> To: "cf-talk"
>> Subject: Re: EMail Injection Attack
>>
>> Hi Robert - Thanks for the reply, yes of course let me explain a bit
> mor
if sending by CF but not using your code that could mean they are running
cf code you didn't write.
--
--m@Robertson--
Janitor, The Robertson Team
mysecretbase.com
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon
came across this community and so far this
has been extremely helpful.
> Hi All -
>
> Recently we've been under a email injection attack where we have
> unauthorized emails being sent through our coldfusion application. At
> this point we are unsure if it is through an em
Hey Dean -
I'll be looking at my webserver logs to see if I can see any correlation with
my mail logs. But to respond to your thought, none of the code so far allows
the user to specify who they're sending to. The forms that send email are at
the very basic level just notification to our int
Regarding the 'h.cfm' issue, go to the bathroom first (your upholstery will
thank me) and THEN sit down and read this.
http://www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat
and the two follow-on blog entries linked at page bottom. This did quite a
job of rocking many wo
I currently have logging for sent mail through cfadmin so that is really the
way I found out that email is being sent outbound somehow.
I do have captcha implementation on my forms, but it's been a bit of time since
I initially implemented this, so I was also considering the possibility that
t
The easiest thing to do is to scan your site code to see what pages contain
the cfmail tag. The next thing is to look at your web server logs to see
who is requesting those pages. If you allow for the site visitor to specify
who the mail is being sent to, then you are opening yourself up to someon
Hey Jeff -
This is our current coldfusion setup:
Server Product ColdFusion
Version 8,0,1,195765
Update Level /C:/ColdFusion8/lib/updates/hf801-3.jar
I took a look for the "h.cfm" file under the CDIFE root and the webroot and did
a search as well for this file but did not see a
The server itself is our own dedicated webserver, and as for our email server
we're using Microsoft 365 so I do not think the compromise is at that level.
I may implement the smtp auth piece to at least mitigate the issue as of now.
Thanks for the suggestion!
>Do you have admin control of thi
There are a bunch of things you can do depending on exactly how this is
happening. Using STMP authentication is one... but if you think your forms are
being spoofed, you may be able to use cgi vars to get some info.
You can use CGI referrer to see if the request is coming from the correct
pa
t;G T"
> Sent: Monday, August 18, 2014 1:13 PM
> To: "cf-talk"
> Subject: Re: EMail Injection Attack
>
> Hi Robert - Thanks for the reply, yes of course let me explain a bit
more.
>
> While checking our sent mail logs, logged by coldfusion, we noticed
emails
ne tools to check if your mail server has an open relay.
>
> http://mxtoolbox.com/diagnostic.aspx
>
> ~Byron
>
>
> On Mon, Aug 18, 2014 at 3:56 PM, Garry Tran wrote:
>
> >
> > Hi All -
> >
> > Recently we've been under a email injection attack where we hav
No really good way in CF logs that I know to see the actual file that sent
the CFMail.
Might be able to correlate your web server access logs to the cf mail sent
log with the timestamp.
Most of the time attacks like this will be all at once, so it should be
fairly easy to see in the web logs.
~
ct -
> where they use form submissions to inject their own coldfusion code to form
> their own 'cfmail' sends.
> http://www.asadesigner.com/13-coldfusion/07d6a249de5791e6.htm
>
> Please let me know if you need additional info
>
> > Can you explain a bit more what
s, log location will vary based on the server used. There are several
online tools to check if your mail server has an open relay.
http://mxtoolbox.com/diagnostic.aspx
~Byron
On Mon, Aug 18, 2014 at 3:56 PM, Garry Tran wrote:
>
> Hi All -
>
> Recently we've been under a emai
form their
>own 'cfmail' sends.
>http://www.asadesigner.com/13-coldfusion/07d6a249de5791e6.htm
Please let me know if you need additional info
> Can you explain a bit more what you mean by email injection attack?
> Do you mean someone is spamming forms that generate fo
Can you explain a bit more what you mean by email injection attack? Do you
mean someone is spamming forms that generate forms email, or is someone using
some application you have to generate spam? Can you provide a slightly better
explanation of what's happening?
Robert Harrison
Dir
Hi All -
Recently we've been under a email injection attack where we have unauthorized
emails being sent through our coldfusion application. At this point we are
unsure if it is through an email injection attack or not but if anybody has any
advice on how to figure out where the atta
20 matches
Mail list logo
