Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Security problem with CDONTS

Posted on 2007-07-21
9
Medium Priority
?
395 Views
Last Modified: 2008-12-18
I have various websites where I use CDONTS for interactive email - usually questionnaires - between website owner and the client.
These work well and I have had no problems until now. One of my sites has been hacked and my server is being used to dissipate porn and general spam.
I have checked the text file "News.txt" and founde it to be full of junk - 16 meg of junk!

I obviously have a weakness in the coding but I do not know where it is, although it seems to me that i should be putting a limit on the number of characters in the fields.

In the example below C:\text\news.txt is the text file that holds the data prior to transmission.
info@owner@com and info@webmaster.com are the site and my own emails (not the actual ones)
My server runs on MS Server 2003

<%

Dim objFS ' File System Object
Dim objSaveFile ' File to save message to
'Dim variables to store form contents
Dim strFirstName,strLastName
Dim strEmail,strDate,strNews

'Read form and save in variables to save reading again later.
strDate = Now
strFirstName = Request("txtFirstName")
strLastName = Request("txtLastName")
strEmail = Request("txtEmail")
strNews = Request("txtNews")
IF NOT cbool(request("send")) THEN      
'Create filesystemobject and open file
set objFS = Server.CreateObject ("Scripting.FileSystemObject")'Line 39
Set objSaveFile = objFS.OpenTextFile("c:\Text\news.txt",8,True)
'Write message to file
objSaveFile.write "<MESSAGE>" & vbcrlf 'vbcrlf is a constant representing a new line
ObjSaveFile.write "Date & Time: " & strDate & vbcrlf
ObjSaveFile.write "Names: " & strFirstName & "  " & strLastname & vbcrlf
ObjSaveFile.Write "Email : " & strEmail & vbcrlf
ObjSaveFile.Write "Newsletter : " & strNews & vbcrlf
ObjSaveFile.write "</MESSAGE>" & vbcrlf
ObjSaveFile.close ' close file
Set objSaveFile = nothing ' Remove reference to objects
set ObjFS = nothing

' Now write response to User showing what was submitted
Response.Write _
"Thank you for your Input. The following will be submitted. <BR></P>"
Response.Write  "<STRONG>Date: </STRONG>"  & strDate &  "<BR>"
Response.Write "<STRONG>Name:</STRONG> "  & strFirstName & "&nbsp" & strLastName & "<BR>"
Response.Write "<STRONG>Email:</STRONG> " & strEmail & "<BR>"
Response.Write " <STRONG>Please place me on your email newsletter list:</STRONG> " & "<BR>"
Response.Write "<center><span><a href='save_newsletter.asp?"& request.querystring &"&send=True'><font color = black size = 2><b>CONFIRM</b></font></a>&nbsp;&nbsp;&nbsp;&nbsp;<a href='guest.asp'><font color = black size = 2><b>CANCEL</b></a></center>" & "<BR>"
%></P>

<%
ELSE
Set objMail = CreateObject("CDONTS.Newmail")
objMail.From = "info@owner.com"
objMail.To = "info@webmaster.com,info@ownercom," & strEmail

objMail.Subject = " Newsletter"
objMail.Body = strDate & "<br>" & strFirstName  & "  " & strLastName & "<br>" & _
 "Email: " & strEmail & "<BR>" & _
 "Newsletter: " & strNews & "<BR>"
 objmail.BodyFormat = 0
objmail.MailFormat = 0
objMail.Send
Set objMail = Nothing
%>

rgds

Misafi
0
Comment
Question by:Misafi
  • 6
  • 3
9 Comments
 
LVL 1

Expert Comment

by:Campbell_David_J
ID: 19539850
Oh, my goodness!  You definitely need to call a function when you read in the Request("varname") value.  Someone can build a fake URL with bad data in it.

This is a serious vulnerability to an attack called "SQL Injection".

Try something like this...

......
strFirstName = validText(Request("txtFirstName"),50)
strLastName = validText(Request("txtLastName"),50)
strEmail = validEmail(Request("txtEmail")"
strNews = validText(Request("txtNews"),6000)
......

Build functions that test what kind of content you want to allow.
Be sure to take out all single quote characters in each of the functions that handle non-numerics.  That can allow malicious code to hurt your database.
0
 
LVL 1

Expert Comment

by:Campbell_David_J
ID: 19539868
Javascript sample functions...

function validEmail(formField){
      var objRegExp  = /(^([\w-_\.]*)[\w-_\.]@([\w-_\.]*)([\w-_\.])\.([a-z]{3})$)|(^([\w-_\.]*)[\w-_\.]@([\w-_\.]*)([\w-_\.])\.([a-z]{3})(\.[a-z]{2})*$)|(^([\w-_\.]*)[\w-_\.]@([\w-_\.]*)([\w-_\.])\.([a-z]{2})$)/;
      formField.value = formField.value.toLowerCase()
      if (!objRegExp.test(formField.value)){
            msg = "Enter A Valid Email Address To Proceed.\n";
            alert(msg);
            formField.select();
      }
      return objRegExp.test(formField.value);
}


function validText(formField, iLen){
      formField.value = trim(formField.value);
      if (formField.value.length > iLen){
            msg = formField.name + " Is too long.\n";
            msg += "Enter A Shorter String To Proceed.\n\n";
            alert(msg);
            formField.select();
            return false;
      }
      return true;
}
0
 

Author Comment

by:Misafi
ID: 19539942
Many thanks - it's getting late here so I will need to to have a good look at what you are saying tomorrow, but from what my first impressions are (and I am not an expert in any way - obviously) is that I should have been including some sort of validation with my fields/

rgds

Midafi
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 

Author Comment

by:Misafi
ID: 19541929
I can see what i should be doing - thanks to your advice.

The problem is that I draw the data from an input form on a different page and I am having trouble in getting the functions - particularly "ValidEmail" to work on either.

The form data is transferred after a "Submit" event which relies upon a simple validation script
<!--
function submit1_onclick() {
for (x=0; x<document.frmHome.elements.length; x++){
      if ((document.frmHome.txtEmail.value == "")
            ||(document.frmHome.txtFirstName.value == "")
            ||(document.frmHome.txtLastName.value == "")
            ||(document.frmHome.txtNews.value == ""))
                                    {
            alert("One of the required fields has not been filled in. Please try again.")
            return false;   }
            }
            return true ;
      
}
-->
</script>
and I am struggling to include the ValidEmail and ValidText components to this.

kind rgds

Misafi
0
 
LVL 1

Expert Comment

by:Campbell_David_J
ID: 19544588
This script I sent was javascript that was originally intended to be called from the SUBMIT button, but it sounds like you need a vbscript function that does the equivalent within the Pre-render code section.
Let me see if I can help with that conversion.

Another idea is to use the above validation scripts as javascript in the page where the user enters the data and use the POST method in the entry form so the data doesn't go out in the url where people can see it.  In the page that does the database updates, check request.form("varname") to be sure to only accept data from the entry page.

For an added measure of security I would set a session variable in the entry page and check in the database posting page for that same value to be sure the data coming in is from a valid source.

I'll see if I can work that up for you in the morning as it is late here right now.

Illa LiQa,
Dave
0
 

Author Comment

by:Misafi
ID: 19553667
Thanks Dave
I look forward to your advice.
rgds
Misafi
0
 

Author Comment

by:Misafi
ID: 19592918
Hi Dave
Any progress?
Rgds
Misafi
0
 

Author Comment

by:Misafi
ID: 19683897
I presume, in view of the lack of response, that this enquiry is now dead?

rgds

Misafi
0
 

Accepted Solution

by:
Misafi earned 0 total points
ID: 20814044
I suppose that - in view of the fact that nothing has happened - this subject should now be closed.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
Learn how to set-up PayPal payment integration in your Wufoo form. Allow your users to remit payment through PayPal upon completion of your online form. This is helpful for collecting membership payments, customer payments, donations, and more.
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question