Security problem with CDONTS

Posted on 2007-07-21
Last Modified: 2008-12-18
I have various websites where I use CDONTS for interactive email - usually questionnaires - between website owner and the client.
These work well and I have had no problems until now. One of my sites has been hacked and my server is being used to dissipate porn and general spam.
I have checked the text file "News.txt" and founde it to be full of junk - 16 meg of junk!

I obviously have a weakness in the coding but I do not know where it is, although it seems to me that i should be putting a limit on the number of characters in the fields.

In the example below C:\text\news.txt is the text file that holds the data prior to transmission.
info@owner@com and are the site and my own emails (not the actual ones)
My server runs on MS Server 2003


Dim objFS ' File System Object
Dim objSaveFile ' File to save message to
'Dim variables to store form contents
Dim strFirstName,strLastName
Dim strEmail,strDate,strNews

'Read form and save in variables to save reading again later.
strDate = Now
strFirstName = Request("txtFirstName")
strLastName = Request("txtLastName")
strEmail = Request("txtEmail")
strNews = Request("txtNews")
IF NOT cbool(request("send")) THEN      
'Create filesystemobject and open file
set objFS = Server.CreateObject ("Scripting.FileSystemObject")'Line 39
Set objSaveFile = objFS.OpenTextFile("c:\Text\news.txt",8,True)
'Write message to file
objSaveFile.write "<MESSAGE>" & vbcrlf 'vbcrlf is a constant representing a new line
ObjSaveFile.write "Date & Time: " & strDate & vbcrlf
ObjSaveFile.write "Names: " & strFirstName & "  " & strLastname & vbcrlf
ObjSaveFile.Write "Email : " & strEmail & vbcrlf
ObjSaveFile.Write "Newsletter : " & strNews & vbcrlf
ObjSaveFile.write "</MESSAGE>" & vbcrlf
ObjSaveFile.close ' close file
Set objSaveFile = nothing ' Remove reference to objects
set ObjFS = nothing

' Now write response to User showing what was submitted
Response.Write _
"Thank you for your Input. The following will be submitted. <BR></P>"
Response.Write  "<STRONG>Date: </STRONG>"  & strDate &  "<BR>"
Response.Write "<STRONG>Name:</STRONG> "  & strFirstName & "&nbsp" & strLastName & "<BR>"
Response.Write "<STRONG>Email:</STRONG> " & strEmail & "<BR>"
Response.Write " <STRONG>Please place me on your email newsletter list:</STRONG> " & "<BR>"
Response.Write "<center><span><a href='save_newsletter.asp?"& request.querystring &"&send=True'><font color = black size = 2><b>CONFIRM</b></font></a>&nbsp;&nbsp;&nbsp;&nbsp;<a href='guest.asp'><font color = black size = 2><b>CANCEL</b></a></center>" & "<BR>"

Set objMail = CreateObject("CDONTS.Newmail")
objMail.From = ""
objMail.To = ",info@ownercom," & strEmail

objMail.Subject = " Newsletter"
objMail.Body = strDate & "<br>" & strFirstName  & "  " & strLastName & "<br>" & _
 "Email: " & strEmail & "<BR>" & _
 "Newsletter: " & strNews & "<BR>"
 objmail.BodyFormat = 0
objmail.MailFormat = 0
Set objMail = Nothing


Question by:Misafi
    LVL 1

    Expert Comment

    Oh, my goodness!  You definitely need to call a function when you read in the Request("varname") value.  Someone can build a fake URL with bad data in it.

    This is a serious vulnerability to an attack called "SQL Injection".

    Try something like this...

    strFirstName = validText(Request("txtFirstName"),50)
    strLastName = validText(Request("txtLastName"),50)
    strEmail = validEmail(Request("txtEmail")"
    strNews = validText(Request("txtNews"),6000)

    Build functions that test what kind of content you want to allow.
    Be sure to take out all single quote characters in each of the functions that handle non-numerics.  That can allow malicious code to hurt your database.
    LVL 1

    Expert Comment

    Javascript sample functions...

    function validEmail(formField){
          var objRegExp  = /(^([\w-_\.]*)[\w-_\.]@([\w-_\.]*)([\w-_\.])\.([a-z]{3})$)|(^([\w-_\.]*)[\w-_\.]@([\w-_\.]*)([\w-_\.])\.([a-z]{3})(\.[a-z]{2})*$)|(^([\w-_\.]*)[\w-_\.]@([\w-_\.]*)([\w-_\.])\.([a-z]{2})$)/;
          formField.value = formField.value.toLowerCase()
          if (!objRegExp.test(formField.value)){
                msg = "Enter A Valid Email Address To Proceed.\n";
          return objRegExp.test(formField.value);

    function validText(formField, iLen){
          formField.value = trim(formField.value);
          if (formField.value.length > iLen){
                msg = + " Is too long.\n";
                msg += "Enter A Shorter String To Proceed.\n\n";
                return false;
          return true;

    Author Comment

    Many thanks - it's getting late here so I will need to to have a good look at what you are saying tomorrow, but from what my first impressions are (and I am not an expert in any way - obviously) is that I should have been including some sort of validation with my fields/



    Author Comment

    I can see what i should be doing - thanks to your advice.

    The problem is that I draw the data from an input form on a different page and I am having trouble in getting the functions - particularly "ValidEmail" to work on either.

    The form data is transferred after a "Submit" event which relies upon a simple validation script
    function submit1_onclick() {
    for (x=0; x<document.frmHome.elements.length; x++){
          if ((document.frmHome.txtEmail.value == "")
                ||(document.frmHome.txtFirstName.value == "")
                ||(document.frmHome.txtLastName.value == "")
                ||(document.frmHome.txtNews.value == ""))
                alert("One of the required fields has not been filled in. Please try again.")
                return false;   }
                return true ;
    and I am struggling to include the ValidEmail and ValidText components to this.

    kind rgds

    LVL 1

    Expert Comment

    This script I sent was javascript that was originally intended to be called from the SUBMIT button, but it sounds like you need a vbscript function that does the equivalent within the Pre-render code section.
    Let me see if I can help with that conversion.

    Another idea is to use the above validation scripts as javascript in the page where the user enters the data and use the POST method in the entry form so the data doesn't go out in the url where people can see it.  In the page that does the database updates, check request.form("varname") to be sure to only accept data from the entry page.

    For an added measure of security I would set a session variable in the entry page and check in the database posting page for that same value to be sure the data coming in is from a valid source.

    I'll see if I can work that up for you in the morning as it is late here right now.

    Illa LiQa,

    Author Comment

    Thanks Dave
    I look forward to your advice.

    Author Comment

    Hi Dave
    Any progress?

    Author Comment

    I presume, in view of the lack of response, that this enquiry is now dead?



    Accepted Solution

    I suppose that - in view of the fact that nothing has happened - this subject should now be closed.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Training Course: Adobe Dreamweaver CC 2015

    Adobe Dreamweaver Creative Cloud is used by web designers and front-end developers and allows you to visualize your site in real-time as you code. This course covers exam objectives for the Adobe Certified Associate (ACA) certification.

    By default, Carbonite Server Backup manages your encryption key for you using Advanced Encryption Standard (AES) 128-bit encryption. If you choose to manage your private encryption key, your backups will be encrypted using AES 256-bit encryption.
    When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
    Use Wufoo, an online form creation tool, to make powerful forms. Learn how to choose which pages of your form are visible to your users based on their inputs. The page rules feature provides you with an opportunity to create if:then statements for y…
    Learn how to set-up custom confirmation messages to users who complete your Wufoo form. Include inputs from fields in your form, webpage redirects, and more with Wufoo’s confirmation options.

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now