4 Replies Latest reply on Mar 24, 2015 12:10 PM by BKBK

    URL Variables are Being Changed

    The Real Wirehead

      I am seeing intermittant instances where URL variables are being changed from what was actually passed in, and I cannot determine how/where/why it's happening.

       

      The entire process is to send email with encoded URL's that point back to a server which decodes the URL and redirects the user to the intended web page by using cflocation.  The destination is determined through the coding in the URL and has 4 url vars, 2 of which are static.

       

      oid= a static 3 digit value

      tag = a static random length alphanumeric, generally 8 characters or less

      uid = dynamically assigned before the redirec, alphanumeric 13-24 characters

      sid = dynamically assigned before the redirect, alphanumeric 24 characters

       

      What I can say about the mangling is that when a value is only alpha it is being rot13'd (characters are being changed to the 13th next character in the alphabet, starting at A after Z).  When it's numeric it has additional numbers appended, and when it's mixed alpha and numeric both are happening but I haven't been able to identify a specific pattern as to when digits are inserted, which digits they will be or for how many are inserted.

       

      I have verified that the vars are correct in the call to cflocation, and then immediately capture them in the next system and they are wrong.

       

      I cannot rule out the possibility somebody in the organization has done this intentionally.  I can read the code and know what every line is doing, but perhaps their is a way to include a file throug a setting in the administrator that I don't know to look for?  Based on the consitency of rot13 and while I can't yet see a pattern for the numerics it's probably there - this really "feels" like something malicious.

       

      I don't have enough data yet to feel confident this is absolute, but over the past couple of hours every time the vars have been mangled I have had the user agent tag "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)]"  So is it a browser issue?  Or maybe it's malicious and the user_agent string is being used to control it's randomness?

       

      Is there a method of including processing code other than cfinclude, cfobject etc?  Something that would be done in the administrator or a config file as I have read and fully understand the template and files that are included with cfinclude.

       

      Is it possible to have built in a custom written module in IIS that is doing this?

       

      Is there some potential of a bug in CF that would do this?  Maybe I missed a patch?

       

      Could it just be a browser problem and I am too paranoid of sabotage to admit it?

       

      Any help is appreciated.  Am running CFEnterprise 7 on Win 2008 R2 Datacenter with IIS 7

        • 1. Re: URL Variables are Being Changed
          The Real Wirehead Level 1

          I can now confirm that for all instances the user agent string is for IE9 32bit running on 64bit win 7

           

          Also that the web server logs are showing mangled values.

           

          I do not know at what point the log information is captured, if there's a possibility of it being manipulated in the server beforehand?

          • 2. Re: URL Variables are Being Changed
            haxtbh Level 4

            I noticed I was getting this problem a while back. We would send out some emails generated by coldfusion with various URL vars in them and then after they were sent out we noticed a number of errors coming back where the URL was incorrect and had been adjusted. Sometimes adding numbers and extra letters, sometimes adding an apostrophe.

             

            When looking at the error dump we have for each of these they all came from IE9 users. After looking at things our side and a bit more testing we were unable to reproduce or find an error so could only assume it was that particular version of IE 9 that was corrupting the URL some how.

             

            Still haven't got to the bottom of it yet!

            • 3. Re: URL Variables are Being Changed
              The Real Wirehead Level 1

              Thank you haxbh, this is both encouraging and discouraging at the same time

               

              Since I can't duplicate the behavior when I type the url into IE9 on win 7, I wonder if the actual problem might be where an email client hands the URL to the browser?  Not sure how to test that theory since it would require knowing what client each user with an error is using.