cfusion_decrypt not working

Report · Oct 05, 2011

i am having an issue with cfusion_decrypt() not providing the correct value, actually it looks as though it is encrypting the string again.

I am stumped, becuse we use this encryption block quite abit and this one app is having difficulties with it. it is in a portal and users log into the portal and are presented with "their" applications, the link pass data to the apps that present appropriate start pages. this work fine for all bu one app.

here is what I get:

I am dumping the query string in the receiving app before it gets to the encryption block:

fuseaction=2A31171339401B0220005010201A135E2417050A3D0B50163A0B045E7D5645527E48130E28071A5E0B0704073A0B1A0F6704190B272E190A2E40120C2540110C3F4806142D5332507A1E34423C0B

this seems a little long but....

this is the decoded value:

decoded value= ^Tdgr%bvEs$[Ecg;WcNoD5eN@a' 36&5-jzMtn n~pbIQj p|xSe|sZ%axn%hxZ;r_H*F5 j'E

I have been all over the net looking for info, but no joy.

any have an idea what is going on here?

Why this one app?

TIA

JBIRD

Report · Oct 05, 2011

I'm having a hard time following your explaination. Could you provide some code that actually reproduces the problem or some more detail on what you put into which funciton, what you get back and what you expect to get back?

Also, are you aware that cfusion_decrypt() and cfusion_encrypt() are terribly insecure and barely even qualify as cryptography?

Jason

Report · Oct 05, 2011

fair enough, yes we know its not that secure, but its been blessed for interal use.

here is the link causing the issue.

<a href="http://#CGI.HTTP_HOST#/cfmx/eoig/inventory/myProperty/index.cfm?fuseaction=#CFUSION_ENCRYPT('admin.w...', application.encryptKey)#" target="_blank">My

Property</a>

here is the encryption/decryption block, its identical in both sending and receiving application.cfc files

queryString = CGI.QUERY_STRING;

structClear(URL);

/* decrypt and rebuild the url string */

fuseAct = listGetAt(queryString, 1, "=");

codedValue = listGetAt(queryString, 2, "=");

decodedValue = "#cfusion_decrypt(codedValue, application.encryptKey)#";

decryptedQueryString = "#fuseAct#=#decodedValue#";

</cfscript>

<!--- Parse the rebuilt url string into the URL structure

NOTE: For this to work, the USEBOX_PARAMETERS.precedenceFormOrUrl

parameter must be set to "URL" not FORM --->

</cfloop>

</cfif>

when the link is clicked I get the following error

This is the template "errortemplates/fusebox.malformedFuseaction.cfm"

An Error of type "fusebox.malformedFuseaction" has occured

malformed Fuseaction

You specified a malformed Fuseaction of \oh~l%xr@~mEI. A fully qualified Fuseaction must be in the form [Circuit].[Fuseaction].

Application Error

An error occurred: http://eoig.oig.dol.gov/cfmx/eoig/inventory/myProperty/index.cfm?fuseaction=280A1B0A27400106250D190E...

Time: 10/5/11 3:39 PM

coldfusion.runtime.EventHandlerException: Event handler exception. === onRequestStart

I am expecting to get the log in page for the property app.

Report · Oct 05, 2011

You are most likely fighting with URL encoding issues. Make sure that the encrypted string you are sending out exactly matches the encrypted string you are receiving back -- cflog is your friend.

I would also specify a specific URL parameter as opposed to the listGetAt(cgi.query_string, 1, "=") you are doing.

Report · Oct 05, 2011

OK, when posting a reproduction case (as requested by Jason), don't just slap the part of your app that's erroring; almost all of that code has got nothing to do with a perceived problem with the functions you've having problems with.

Write some stand-alone code that demonstrates the problem you're seeing, and explain why the code doesn't meet your expectations. We should be able to copy and paste the code you post into a file locally and run it and see what you're seeing.

--

Adam