I am seeing intermittant instances where URL variables are being changed from what was actually passed in, and I cannot determine how/where/why it's happening.
The entire process is to send email with encoded URL's that point back to a server which decodes the URL and redirects the user to the intended web page by using cflocation. The destination is determined through the coding in the URL and has 4 url vars, 2 of which are static.
oid= a static 3 digit value
tag = a static random length alphanumeric, generally 8 characters or less
uid = dynamically assigned before the redirec, alphanumeric 13-24 characters
sid = dynamically assigned before the redirect, alphanumeric 24 characters
What I can say about the mangling is that when a value is only alpha it is being rot13'd (characters are being changed to the 13th next character in the alphabet, starting at A after Z). When it's numeric it has additional numbers appended, and when it's mixed alpha and numeric both are happening but I haven't been able to identify a specific pattern as to when digits are inserted, which digits they will be or for how many are inserted.
I have verified that the vars are correct in the call to cflocation, and then immediately capture them in the next system and they are wrong.
I cannot rule out the possibility somebody in the organization has done this intentionally. I can read the code and know what every line is doing, but perhaps their is a way to include a file throug a setting in the administrator that I don't know to look for? Based on the consitency of rot13 and while I can't yet see a pattern for the numerics it's probably there - this really "feels" like something malicious.
I don't have enough data yet to feel confident this is absolute, but over the past couple of hours every time the vars have been mangled I have had the user agent tag "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)]" So is it a browser issue? Or maybe it's malicious and the user_agent string is being used to control it's randomness?
Is there a method of including processing code other than cfinclude, cfobject etc? Something that would be done in the administrator or a config file as I have read and fully understand the template and files that are included with cfinclude.
Is it possible to have built in a custom written module in IIS that is doing this?
Is there some potential of a bug in CF that would do this? Maybe I missed a patch?
Could it just be a browser problem and I am too paranoid of sabotage to admit it?
Any help is appreciated. Am running CFEnterprise 7 on Win 2008 R2 Datacenter with IIS 7