How to subscribe a user in Exact Target via their API
Posted by Paul Alkema | Tags: ColdFusion
Since obviously the Exact Target community has no appreciation for the ColdFusion community, I feel that I should post the code that I wrote to subscribe a user to a list.
Here's my cfc...
<cfcomponent>
<cffunction
name="subscribeUser"
access="public"
returntype="string"
hint="Subscribes a user to the specified list in Exact Target.">
<cfargument
name="company"
type="string"
required="yes"
/>
<cfargument
name="country"
type="string"
required="no"
/>
<cfargument
name="emailAddress"
type="string"
required="yes"
/>
<cfargument
name="firstName"
type="string"
required="yes"
/>
<cfargument
name="lastName"
type="string"
required="yes"
/>
<cfargument
name="emailType"
type="string"
required="yes"
/>
<cfargument
name="userid"
type="string"
required="yes"
default=""
/>
<cfargument
name="listId"
type="numeric"
required="no"
default="<listid>">
<cfset var cfhttp = "">
<cfhttp
url="http://cl.exct.net/subscribe.aspx?lid=#arguments.listId#"
method="post">
<!--- company --->
<cfhttpparam
name="COMPANY"
type="FormField"
value="#arguments.company#"
/>
<!--- country --->
<cfhttpparam
name="Country"
type="FormField"
value="#arguments.country#"
/>
<!--- email address --->
<cfhttpparam
name="email address"
type="FormField"
value="#arguments.emailAddress#"
/>
<!--- first name --->
<cfhttpparam
name="FIRST NAME"
type="FormField"
value="#arguments.firstName#"
/>
<!--- last name --->
<cfhttpparam
name="LAST NAME"
type="FormField"
value="#arguments.lastName#"
/>
<!--- email type --->
<cfhttpparam
name="Email Type"
type="FormField"
value="#arguments.emailType#"
/>
<!--- user id --->
<cfhttpparam
name="MID"
type="FormField"
value="#arguments.userId#"
/>
<!--- action --->
<cfhttpparam
name="SUBACTION"
type="FormField"
value="sub_add_update"
/>
</cfhttp>
<cfreturn cfhttp.FileContent />
</cffunction>
</cfcomponent>
Here's my cfc invoke..
<cfinvoke
component="email-subscribe"
method="subscribeUser"
company="{user's company}"
emailAddress="{user's email address}"
firstName="{user's first name}"
lastName="{user's last name}"
country="{user's country}"
emailType="{user's email type}"
userid="{}"
returnvariable="confirmation"
/>
The above CF code will add a user to the designated mailing list.
Tags: ColdFusion, Exact Target, ExactTarget, ColdFusion API, Paul Alkema
One of The Worst Security Holes in CAPTCHA's and How You Can Fix Them.
Posted by Paul Alkema | Tags: ColdFusion
There have been several occasions where people have used security holes in CAPTCHA's to purchase large amounts of specific items like tickets or other items. Is this wrong to do? I would say yes. In this article I'm going to teach you how to manually take advantage of this security hole and what you can do to prevent it for happening.
The first steps to understand the issues with most CAPTCHA's is to understand how they work. The way that most CAPTCHA's are as follows
- A random word(s) or alpha numeric string is generated
- This string is rendered into an image which displays to the users, and the user is prompted to input the text they see in the image. In ColdFusion many times people will use the CfImage attribute action="captcha".
- The string is then usually encrypted and placed into a hidden form element that's located inside of the submitting form.
- After submitting the form, typically the text that the user entered is encrypted using the same type of encryption as the randomly generated string.
- Finally, the encrypted user entered string is compared to the encrypted randomly generated string. If they match, than the user isn't a bot, if they don't, than the user is a bot.
This method, is either the exact method or extremely similar to how most CAPTCHA applications are written. You may be wondering what the issue with this is. I think that most people think, wow because I'm encrypting all of my strings and my CAPTCHA is so hard to read that your CAPTCHA is fool-proof. The reality is this type of CAPTCHA only stops one type of spammer.
There are three types of spammers.
- Automated Spam Bots. An automated spam bots written on a large scale that normally posts random spam on random sites by crawling from site to site.
- Manual Bots. A small application written with the intent to do one purpose, for one web site.
- Manual Human Spam. Usually a paid human with the intent to spam a single or multiple sites.
The above method stops most Automated Spam Bots, but not all of them. The security issue that I'm pointing out today has really more to do with manual bots and how easy it is to write one. Please note, that the reason that I am helping you to write this is in absolutely no way to help anyone under any circumstances to hack, spam or do anything illegal in any way. It's for informational purposes, so that the web development community can better understand how to prevent this type of issue.
How to Write a Manual Bot
- First go to the web page that has the CAPTCHA that you would like your bot to get through. Note the action page that the form submits to0. You can take note of this by viewing the source code.
- Fill out the form completely as if you were to submit the form including the CAPTCHA text.
- Note all of the form field names including the hidden fields and record all of their values.
- Write a small script that allows you to send those HTTP form elements with the values recorded to your web page's action page. I know I make it sound easy, but that's because at least in ColdFusion it is easy.
I have a test page with an example page with a typical CAPTCHA. HERE.
When I fill out the form in my example CAPTCHA page above and I take note of the form elements and values this is what I get.
EXAMPLE
Action
http://paulalkema.com/assets/content/unsuspecting-page.cfm
Form
submitted=1
captcha_check=6501AA9BA0B073BC (this contains the encrypted version of the captcha.)
captcha=h7eunmjq (This was blank before, but I manually entered this as a value.)
Now that we have this data recorded you can build a script that could do this dynamically.
CODE EXAMPLE
<cfhttp
url="http://paulalkema.com/assets/content/unsuspecting-page.cfm"
method="post">
<cfhttpparam
name="submitted"
type="FormField"
value="1">
<cfhttpparam
name="captcha_check"
type="FormField"
value="6501AA9BA0B073BC">
<cfhttpparam
name="captcha"
type="FormField"
value="h7eunmjq">
</cfhttp>
<cfoutput>
#cfhttp.FileContent#
</cfoutput>
The above code would submit all of the form variables to my action page, where my action page would then except that I'm not a bot. I have an example of the exact script above working HERE.
You may be a little skeptical that someone would actually go out of their way to do this to spam your site and you very well may be right, but the reality is that someone could do it. In March 2010, 4 people were indicted for using a script to simultaneously buy thousands of concert tickets through an automated script similar to this.
How to Prevent It
So what do you do to prevent it? I think the primary issue with the above technique is that your sending a generated encrypted version of your CAPTCHA and comparing it to a user typed version of the CAPTHA and if you write a script that can resend this information, the script can be run repeatedly and the action page. Solution? Send the generated encrypted version of your CAPTCHA through server side variables. If your using ColdFusion a possible solution would be to send your the generated encrypted version of your CAPTCHA through session variables..
SEO: Coldfusion, Captcha, Cfhttp, Issues With Captcha, Hack Captcha, Captcha Security
Pull a List of All Coldfusion Datasources, Along With Username and Passwords
Posted by Paul Alkema | Tags: ColdFusion
There are special times when you may need to get a list of your datasources or retrieve the passwords for your datasources. If this is your case, no problem.
The script below will pull all datasources, along with the username and a decrypted password.
// Create Data Source Object dataSourceObb=createobject("java","coldfusion.server.ServiceFactory"). getDatasourceService().getDatasources(); // Loop Through DataSources for(i in dataSourceObb) { if(len(dataSourceObb[i]["password"])){ // Get username username=(dataSourceObb[i]["username"]); // Get and decrypt password decryptPassword=Decrypt(dataSourceObb[i]["password"], generate3DesKey("0yJ!@1$r8p0L@r1$6yJ!@1rj"), "DESede", "Base64"); // Output all datasources along with username and passwords writeoutput("" & "DataSource: " & i & "
" & "Username: " & username & "
Password: " & decryptPassword &"
"); } }
Enjoy!
UPDATE: When this post was originally posted, this worked on 9, however since then 9.0.1 has been released. This version has fixed this issue.
Tags: Coldfusion, Datasource Passwords, ColdFusion Passwords, ColdFusion ServiceFactory, Paul Alkema
How To Select All Columns From a Table In MSQL
Posted by Paul Alkema | Tags: SQL
On occasions I've needed to perform actions on a table to all columns but wanted it to be dynamic in a way that I could use it on multiple table. In order to do so, I needed a way to pull all of the columns in my table before performing my action.
Here is an example of how to pull all of the columns in the specified table.
EXAMPLE
DECLARE @table varchar(40)
SET @table = 'your-table'
SELECT [name]
FROM syscolumns
WHERE [id] IN
(SELECT [id]
FROM sysobjects
WHERE [name] = @table
)
This is how you can use this method to pull the primary key.
EXAMPLE
DECLARE @table_name VARCHAR(40)
SET @table = 'your-table'
SELECT [name]
FROM syscolumns
WHERE [id] IN
(SELECT [id]
FROM sysobjects
WHERE [name] = @table_name
)
AND colid IN
(SELECT SIK.colid
FROM sysindexkeys SIK
JOIN sysobjects SO
ON SIK.[id] = SO.[id]
WHERE SIK.indid = 1
AND SO.[name] = @table
)
Reset Coldfusion Administrator Password
Posted by Paul Alkema | Tags: ColdFusion
Sorry hackers, this is not a tutorial on how to hack into someone's Coldfusion administrator that isn't yours. In order to do this, you need access to the Coldfusion server files. Now if you have access to those and your a hacker, well I think the servers administrator has more to worry about than you just changing the Coldfusion administrator password.
Warning!! Once the password has been changed, there's not changing it back to what the previous password was, so make sure you have permission to do this before doing it.
Now that I've warned you, Here's how you do it!
- Locate neo-security.xml This file should be located in your lib
folder.
IE; C:/coldfusion8/lib/neo-security.xml - Open file and locate
<var name="admin.security.enabled"> <boolean value="true" /> </var> - Change from boolean value="true" to boolean value="false".
- Save file and exit
- Restart Coldfusion services
- Go to the Coldfusion administrator. It should be unlocked.
- Expand "security", select "CF Admin Password".
- Check the check box for the "Use a ColdFusion Administration password". This will enable the password requirement.
- Enter new password twice and hit "Submit Changes".
