Security problem with CDONTS
Posted on 2007-07-21
I have various websites where I use CDONTS for interactive email - usually questionnaires - between website owner and the client.
These work well and I have had no problems until now. One of my sites has been hacked and my server is being used to dissipate porn and general spam.
I have checked the text file "News.txt" and founde it to be full of junk - 16 meg of junk!
I obviously have a weakness in the coding but I do not know where it is, although it seems to me that i should be putting a limit on the number of characters in the fields.
In the example below C:\text\news.txt is the text file that holds the data prior to transmission.
info@owner@com and email@example.com are the site and my own emails (not the actual ones)
My server runs on MS Server 2003
Dim objFS ' File System Object
Dim objSaveFile ' File to save message to
'Dim variables to store form contents
'Read form and save in variables to save reading again later.
strDate = Now
strFirstName = Request("txtFirstName")
strLastName = Request("txtLastName")
strEmail = Request("txtEmail")
strNews = Request("txtNews")
IF NOT cbool(request("send")) THEN
'Create filesystemobject and open file
set objFS = Server.CreateObject ("Scripting.FileSystemObject")'Line 39
Set objSaveFile = objFS.OpenTextFile("c:\Text\news.txt",8,True)
'Write message to file
objSaveFile.write "<MESSAGE>" & vbcrlf 'vbcrlf is a constant representing a new line
ObjSaveFile.write "Date & Time: " & strDate & vbcrlf
ObjSaveFile.write "Names: " & strFirstName & " " & strLastname & vbcrlf
ObjSaveFile.Write "Email : " & strEmail & vbcrlf
ObjSaveFile.Write "Newsletter : " & strNews & vbcrlf
ObjSaveFile.write "</MESSAGE>" & vbcrlf
ObjSaveFile.close ' close file
Set objSaveFile = nothing ' Remove reference to objects
set ObjFS = nothing
' Now write response to User showing what was submitted
"Thank you for your Input. The following will be submitted. <BR></P>"
Response.Write "<STRONG>Date: </STRONG>" & strDate & "<BR>"
Response.Write "<STRONG>Name:</STRONG> " & strFirstName & " " & strLastName & "<BR>"
Response.Write "<STRONG>Email:</STRONG> " & strEmail & "<BR>"
Response.Write " <STRONG>Please place me on your email newsletter list:</STRONG> " & "<BR>"
Response.Write "<center><span><a href='save_newsletter.asp?"& request.querystring &"&send=True'><font color = black size = 2><b>CONFIRM</b></font></a> <a href='guest.asp'><font color = black size = 2><b>CANCEL</b></a></center>" & "<BR>"
Set objMail = CreateObject("CDONTS.Newmail")
objMail.From = "firstname.lastname@example.org"
objMail.To = "email@example.com,info@ownercom," & strEmail
objMail.Subject = " Newsletter"
objMail.Body = strDate & "<br>" & strFirstName & " " & strLastName & "<br>" & _
"Email: " & strEmail & "<BR>" & _
"Newsletter: " & strNews & "<BR>"
objmail.BodyFormat = 0
objmail.MailFormat = 0
Set objMail = Nothing