Variable CFUSION_ENCRYPT is undefined

Question

0 experience with ColdFusion over here.

Got this project dropped off at my desk which was written by somebody 4 years ago, the person doesn't work with my company any more.

Got the logs from the live hosted website, and the error seems to exist on this line.

Line 196:

<p><a href="https://#$.siteConfig().getdomain()##$.createHREF(filename='accounts/verify-email')#?stub=#cfusion_encrypt(uu.username, application.encKey)#">Click here</a> to activate your account</p>

I believe it might have something to do with the fact that the URL exists in quotes and the parameters are not correctly being passed? But I am not certain by any means.

I do not have the code base to test it or debug it, just the live deployed website.

Happy to get any suggestions on how to proceed with this. Thanks!

`#cfusion_encrypt(uu.username, application.encKey)#` is a function call, which is not defined. You need to track down the definition of that function. — Redtopia, Aug 28 '18 at 16:15
All the code for the ColdFusion code for the live site is on the server, which I assume you have access to (since you have the logs). Copy the source code to your computer and do a search for that function. — Redtopia, Aug 28 '18 at 16:30
I tried that, turns out that is the only reference for it in the entire code base. The server seems to have ColdFusion 11 installed and according to a source on the internet, ColdFusion 11 doesn't support CFusion_encrypt(). — Addy, Aug 28 '18 at 16:35
The `cfusion_encrypt()` function seems to only be available on Lucee (formerly Railo). [reference](https://cfdocs.org/cfusion_encrypt) Which explains why Adobe ColdFusion says it is "undefined". Did they recently change to Adobe CF? Or perhaps it was available in Adobe CF prior to ColdFusion 11 [reference](https://stackoverflow.com/a/27240257/1636917) Did they recently upgrade the Adobe ColdFusion version? — Miguel-F, Aug 28 '18 at 16:44
Has anyone else touched the code? I once had a developer write code for an app that was deployed on CF 9, but was running CF 11 locally. They added a couple of function calls that didn't work in prod and caused us to lock down code reviews and made sure everyone was only developing on the same version as was in production. — Adrian J. Moreno, Aug 28 '18 at 16:52
Do not believe anybody has a developer background on the client's team. But in that case, the code/versions are unchanged. But you all make valid points. I am trying to get hold of the people in charge. Hopefully have an answer to it by end of day. Thank you. Will give an update! — Addy, Aug 28 '18 at 17:04
Being that it involves an encryption function, I would go to your `verify-email` page and verify how it's planning to decrypt the `stub` value being passed through the URL. More than likely, you'd be better off just switching your URL variable to use CFML `encrypt()` and then using `decrypt()` in the verify page to ensure you're decrypting the proper value from the URL. (https://cfdocs.org/encrypt) You may also want to look into ways to prevent abuse of your URL. And to probably use a different Key for this than other things. But now I'm getting OT and into site security. — Shawn, Aug 28 '18 at 19:09
I would also look at your `verify-email` page to see what algorithm is being used to decrypt the `stub`. — Shawn, Aug 28 '18 at 19:19
@Addy - Agreed about switching. If it's just used for sessions (and not stored), you'd be better off moving away from the deprecated (and insecure) CFMX_COMPAT algorithm and using encrypt() with a *real* encryption algorithm like Shawn suggested. — SOS, Aug 29 '18 at 16:40

score 3 · Accepted Answer · answered Aug 28 '18 at 17:21

If your CFML code is hosted on both new and pre-CF11 ColdFusion servers, you may need to use a user-defined function (UDF) to fill the gap. We used the following code while slowly testing & migrating older applications from CF7 to 2016. (Just add these functions to your codebase and rename existing "CFusion_" tags to "Fusion_".)

Published 10/20/2005 by Barney Boisvert: http://www.barneyb.com/barneyblog/2005/10/28/cfusion_encryptcfusion_decrypt-udfs/

<cffunction name="fusion_encrypt" output="false" returntype="string">
    <cfargument name="string" type="string" required="true" />
    <cfargument name="key" type="string" required="true" />
    <cfset var i = "" />
    <cfset var result = "" />
    <cfset key = repeatString(key, ceiling(len(string) / len(key))) />
    <cfloop from="1" to="#len(string)#" index="i">
        <cfset result = result & rJustify(formatBaseN(binaryXOR(asc(mid(string, i, 1)), asc(mid(key, i, 1))), 16), 2) />
    </cfloop>
    <cfreturn ucase(replace(result, " ", "0", "all")) />
</cffunction>
<cffunction name="fusion_decrypt" output="false" returntype="string">
    <cfargument name="string" type="string" required="true" />
    <cfargument name="key" type="string" required="true" />
    <cfset var i = "" />
    <cfset var result = "" />
    <cfset key = repeatString(key, ceiling(len(string) / 2 / len(key))) />
    <cfloop from="2" to="#len(string)#" index="i" step="2">
        <cfset result = result & chr(binaryXOR(inputBaseN(mid(string, i - 1, 2), 16), asc(mid(key, i / 2, 1)))) />
    </cfloop>
    <cfreturn result />
</cffunction>
<cffunction name="binaryXOR" output="false" returntype="numeric">
    <cfargument name="n1" type="numeric" required="true" />
    <cfargument name="n2" type="numeric" required="true" />
    <cfset n1 = formatBaseN(n1, 2) />
    <cfset n2 = formatBaseN(n2, 2) />
    <cfreturn inputBaseN(replace(n1 + n2, 2, 0, "all"), 2) />
</cffunction>

<h2>cfusion_encrypt Test</h2>
<cfset key = "test" />
<cfoutput>
<table>
<cfloop list="barney,is,damn cool!" index="i">
    <tr>
        <td>#i#</td>
        <td>#cfusion_encrypt(i, key)#</td>
        <td>#fusion_encrypt(i, key)#</td>
        <td>#cfusion_decrypt(cfusion_encrypt(i, key), key)#</td>
        <td>#fusion_decrypt(fusion_encrypt(i, key), key)#</td>
    </tr>
</cfloop>
</table>
</cfoutput>

Seemed to do the trick! turns out it was the deprecated function call. This has been live on the client website for the last 3 years, blows my head how it went unnoticed for so long, given its on the Sign up Page! — Addy, Aug 29 '18 at 15:04
@Addy Keep in mind this doesn't _fix_ the problem. It just slaps a big Band-Aid on it. There are still some issues with the "encryption" method it uses, and it probably wouldn't be more than a few minute fix now that the problem is identified. — Shawn, Aug 29 '18 at 18:20
@Shawn I'll keep that in mind. The specific piece relating to encryption was just to send out verification emails to the users for sign up. I will mention it to the client, hopefully get some budgeting and have the entire system looked at. Thanks! — Addy, Aug 29 '18 at 18:27

score 1 · Answer 2 · answered Aug 28 '18 at 16:54

1

Sounds like you're using now a version of ColdFusion server that does not have the built in cfusion_encrypt() function.

Try this, change

cfusion_encrypt(uu.username, application.encKey)

to

encrypt(uu.username, application.encKey,'CFMX_COMPAT','HEX')

I hope it helps.

answered Aug 28 '18 at 16:54

Alex Baban

11,312
4
30
44

1

I bet it really hurt your fingers to type both `encrypt` and `CFMX_COMPAT` in the same sentence. :-) – Shawn Aug 28 '18 at 19:17
1

It did, but I don't know how they are building their `encKey` since are using deprecated `cfusion_encrypt()`. Homework for them: read `encrypt()` docs. – Alex Baban Aug 28 '18 at 19:31
If it makes you feel any better, I cried a little bit for you. <<< For anyone else coming to this thread, Moral of this Story: Follow Alex's advice and read up on `encrypt()` and why `CFMX_COMPAT` should be refactored away into oblivion (or at least lost to time like a GeoCities page). :-) Granted, it appears that the app is just passing an encrypted username through the URL, so broken encryption like `CFMX_COMPAT` may be acceptable. – Shawn Aug 28 '18 at 19:39
Thanks for your help! – Addy Aug 29 '18 at 15:04

Variable CFUSION_ENCRYPT is undefined

2 Answers2