| Posted By |
Discussion Topic: hacking question
|
|
bonehead |
09-25-2006 @ 9:25 PM |
|
|
Junior Member
Posts: 94
Joined: Sep 2004
|
i tried my best to keep spammers/hackers out of my bands guestbook. they seem to have an auto-script that enters spam into my database. ..about 30 a day.
i have filters that filter the output (not letting links, photos, certain words) from being displayed.
this works wonderfully BUT, i have to stop the entries from getting in.
i have security just like here on easycfm. i have a photo that you have to type in the words in the graphics. they are bypassing my security kinda but not really... it is like they aren't using my process.cfm page?
the only way i can think of is that the hacker knows some cold fusion and somehow figured out the name of my datasource and tablename.
is there a way to view the source of a page without actually clicking on the page.
in other words, you can view the source of my guestbook.cfm page and see where the form action is pointing to. a page called process.cfm?action=add
is there a way to view the source of that process.cfm page without ever getting to it (becuase obviously you cannot see the code once the form "does its thing")
BTW, in case you didnt know, hackers and spammers are awful and have kicked it up a notch recently! i'm a victim and i am also a hobbyist.
music is my profession but i'm forced to learn how to win this war so our fans can enjoy our site.
thanks
<CF Rock on>
|
|
mbear21 |
|
09-25-2006 @ 10:19 PM |
|
|
New Member
Posts: 33
Joined: Aug 2006
|
Try posting your code so we can see maybe where your problem is. I don't see how this could be possible if you have the right blocks on the page..
IE:
Page 1:
*Form with image validation is submitted*
Page 2:
-if validation is input corectly then insert into database.
-if validation is not input correctly, abort before inserted into db.
Oh, and yes there is a way to see the source codes of pages without going to them, but again this shouldn't matter if you have the right blocks on your pages.
This message was edited by mbear21 on 9-25-06 @ 10:20 PM
|
|
bonehead |
|
09-25-2006 @ 11:32 PM |
|
|
Junior Member
Posts: 94
Joined: Sep 2004
|
there are 3 pages to my guestbook entries...
my first page is called guestbook.cfm
it has 2 input fields name and comment
it passes these 2 parameters to random.cfm.
this page passes on name and comment, and
also captures IP and date, and browser... well, let me just post it. i have 20 little photos like the "secret word" here which randomly picks one. the person must type in the word to post his/her entry.
<form method="post" action="process.cfm?action=add">
<input type="hidden" name="date" value="#LSdateFormat(now(),'dd-mmm-yy')#">
<input type="hidden" name="ip" value="#REMOTE_ADDR#">
<input type="hidden" name="browser" value="#HTTP_USER_AGENT#">
<input type="hidden" name="fname" value="#fname#">
<input type="hidden" name="comment" value="#comment#">
<input type="hidden" name="hackr" value="#test[photo][TheRandNumber]#">
the field #hacker# is the image with code and random thing.
a different database contains these images.
also, heres the input where they must match the image
<input type="text" name="bustr" value="" size="20" maxlength="20">
this form goes to process.cfm
process.cfm is as follows...
<cfparam name="hackr" default="two">
<cfparam name="bustr" default="one">
(i did this just in case the hacker has his/her own input page and stole the fields from one of my other ones so these parameters by default do not match)
<cfif bustr IS listFirst(hackr, '.')>
<cfinsert DATASOURCE="mysource" tablename="guests">
i stripped the .jpg from the hacker (to match bustr) just in case there was a script that stole the <input type=hidden name=hackr> field from the random.cfm page before. this assured me that the person had to type in the image name becuase the extension is there by default and must be removed for a match.
<cfelse>
<CFMODULE Template="/header.cfm">
<center><font face="Tahoma" size="2"><b>
mismatch error, go back and type in the correct value</b></font></center>
<CFMODULE Template="/footer.cfm">
</cfif></cfoutput>
after i did this, i thought i did quite well and was proud of myself 
so i emptied my guestbook and made a welcome entry and received spams within minutes! altogether today it received 30 spam entries.
i just deleted my process.cfm page from the folder. i am monitoring it now so if it receives any more entries, i know for sure they are NOT using my process page and somehow have one of their own.
if they know my datasource name, all these attempts are feeble. i have no internet or band enemies i am aware of. i am the only one to work on our site so the only ftp account is mine.
if as you say this is possible to view the source of a page without viewing it, this makes hacking quite simple and scary!
thanks for your help so far. it is much appreciated
<CF Rock on>
This message was edited by bonehead on 9-25-06 @ 11:35 PM
|
|
bonehead |
|
09-26-2006 @ 6:45 AM |
|
|
Junior Member
Posts: 94
Joined: Sep 2004
|
i'm tempted to say that the hacker is using my process page because there have been no entries all night since i deleted it from the web folder.
i looked in the access database and the hacker entries contain IP, browser, and date fields (which the random form captures however, the date field is being manipulated in some entries. interestingly enough,
the hackr and bustr fields are empty.
i am giving them default values at the top of the process.cfm page of "one" and "two". not quite sure how this is happening but i thought i'd post as much info as i have.
thanks
<CF Rock on>
|
