Skip to main content
jbird5k
jbird5k
Inspiring
October 5, 2011
Question

cfusion_decrypt not working

  • October 5, 2011
  • 1 reply
  • 1389 views

i am having an issue with cfusion_decrypt() not providing the correct value, actually it looks as though it is encrypting the string again.

I am stumped, becuse we use this encryption block quite abit and this one app is having difficulties with it.  it is in a portal and users log into the portal and are presented with "their" applications, the link pass data to the apps that present appropriate start pages. this work fine for all bu one app.

here is what I get:

I am dumping the query string in the receiving app before it gets to the encryption block:

fuseaction=2A31171339401B0220005010201A135E2417050A3D0B50163A0B045E7D5645527E48130E28071A5E0B0704073A0B1A0F6704190B272E190A2E40120C2540110C3F4806142D5332507A1E34423C0B

this seems a little long but....

this is the decoded value:

decoded value= ^Tdgr%bvEs$[Ecg;WcNoD5eN@a' 36&5-jzMtn n~pbIQj p|xSe|sZ%axn%hxZ;r_H*F5 j'E

I have been all over the net looking for info, but no joy.

any have an idea what is going on here?

Why this one app?

TIA

JBIRD

    This topic has been closed for replies.

    1 reply

    12Robots
    12Robots
    Participating Frequently
    October 5, 2011

    I'm having a hard time following your explaination. Could you provide some code that actually reproduces the problem or some more detail on what you put into which funciton, what you get back and what you expect to get back?

    Also, are you aware that cfusion_decrypt() and cfusion_encrypt() are terribly insecure and barely even qualify as cryptography?

    Jason

    jbird5k
    jbird5kAuthor
    Inspiring
    October 5, 2011

    fair enough,  yes we know its not that secure, but its been blessed for interal use.

    here is  the link causing the issue.

    <a href="http://#CGI.HTTP_HOST#/cfmx/eoig/inventory/myProperty/index.cfm?fuseaction=#CFUSION_ENCRYPT('admin.welcome', application.encryptKey)#" target="_blank">My

    Property</a>

    here is the encryption/decryption  block, its identical in both sending and receiving application.cfc files

    <cfscript>

                    queryString = CGI.QUERY_STRING;

                       structClear(URL);

                       /*  decrypt and rebuild the url string */

                    fuseAct      = listGetAt(queryString, 1, "=");

                 

                   

                    codedValue   = listGetAt(queryString, 2, "=");

                                

                    decodedValue = "#cfusion_decrypt(codedValue, application.encryptKey)#";

                   

                    decryptedQueryString = "#fuseAct#=#decodedValue#";

                </cfscript>

                   <!--- Parse the rebuilt url string into the URL structure              

                         NOTE: For this to work, the USEBOX_PARAMETERS.precedenceFormOrUrl

                               parameter must be set to "URL" not FORM                 --->

               

                 <cfloop index="x" list="#decryptedQueryString#" delimiters="&">

                      <cfset name= listGetAt(x, 1, "=") />

                   

                      <cfset value = listGetAt(x, 2, "=") /> 

                                      

                      <cfset structInsert(URL, name, value) />

                 </cfloop>

            </cfif>    

    when the link is clicked  I get the following error

    This is the template "errortemplates/fusebox.malformedFuseaction.cfm"

    An Error of type "fusebox.malformedFuseaction" has occured

    malformed Fuseaction

    You specified a malformed Fuseaction of \oh~l%xr@~mEI. A fully qualified Fuseaction must be in the form [Circuit].[Fuseaction].

    Application Error

    An error occurred: http://eoig.oig.dol.gov/cfmx/eoig/inventory/myProperty/index.cfm?fuseaction=280A1B0A27400106250D190E2C

    Time: 10/5/11 3:39 PM

      coldfusion.runtime.EventHandlerException: Event handler exception. === onRequestStart

    I am expecting to get  the log in page for the property app.

    S
    Steve Sommers
    Legend
    October 5, 2011

    You are most likely fighting with URL encoding issues. Make sure that the encrypted string you are sending out exactly matches the encrypted string you are receiving back -- cflog is your friend.

    I would also specify a specific URL parameter as opposed to the listGetAt(cgi.query_string, 1, "=") you are doing.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices