troubleshooting Question

Security problem with CDONTS

Avatar of Misafi
MisafiFlag for South Africa asked on
SecurityWeb Applications
9 Comments1 Solution445 ViewsLast Modified:
I have various websites where I use CDONTS for interactive email - usually questionnaires - between website owner and the client.
These work well and I have had no problems until now. One of my sites has been hacked and my server is being used to dissipate porn and general spam.
I have checked the text file "News.txt" and founde it to be full of junk - 16 meg of junk!

I obviously have a weakness in the coding but I do not know where it is, although it seems to me that i should be putting a limit on the number of characters in the fields.

In the example below C:\text\news.txt is the text file that holds the data prior to transmission.
info@owner@com and info@webmaster.com are the site and my own emails (not the actual ones)
My server runs on MS Server 2003

<%

Dim objFS ' File System Object
Dim objSaveFile ' File to save message to
'Dim variables to store form contents
Dim strFirstName,strLastName
Dim strEmail,strDate,strNews

'Read form and save in variables to save reading again later.
strDate = Now
strFirstName = Request("txtFirstName")
strLastName = Request("txtLastName")
strEmail = Request("txtEmail")
strNews = Request("txtNews")
IF NOT cbool(request("send")) THEN      
'Create filesystemobject and open file
set objFS = Server.CreateObject ("Scripting.FileSystemObject")'Line 39
Set objSaveFile = objFS.OpenTextFile("c:\Text\news.txt",8,True)
'Write message to file
objSaveFile.write "<MESSAGE>" & vbcrlf 'vbcrlf is a constant representing a new line
ObjSaveFile.write "Date & Time: " & strDate & vbcrlf
ObjSaveFile.write "Names: " & strFirstName & "  " & strLastname & vbcrlf
ObjSaveFile.Write "Email : " & strEmail & vbcrlf
ObjSaveFile.Write "Newsletter : " & strNews & vbcrlf
ObjSaveFile.write "</MESSAGE>" & vbcrlf
ObjSaveFile.close ' close file
Set objSaveFile = nothing ' Remove reference to objects
set ObjFS = nothing

' Now write response to User showing what was submitted
Response.Write _
"Thank you for your Input. The following will be submitted. <BR></P>"
Response.Write  "<STRONG>Date: </STRONG>"  & strDate &  "<BR>"
Response.Write "<STRONG>Name:</STRONG> "  & strFirstName & "&nbsp" & strLastName & "<BR>"
Response.Write "<STRONG>Email:</STRONG> " & strEmail & "<BR>"
Response.Write " <STRONG>Please place me on your email newsletter list:</STRONG> " & "<BR>"
Response.Write "<center><span><a href='save_newsletter.asp?"& request.querystring &"&send=True'><font color = black size = 2><b>CONFIRM</b></font></a>&nbsp;&nbsp;&nbsp;&nbsp;<a href='guest.asp'><font color = black size = 2><b>CANCEL</b></a></center>" & "<BR>"
%></P>

<%
ELSE
Set objMail = CreateObject("CDONTS.Newmail")
objMail.From = "info@owner.com"
objMail.To = "info@webmaster.com,info@ownercom," & strEmail

objMail.Subject = " Newsletter"
objMail.Body = strDate & "<br>" & strFirstName  & "  " & strLastName & "<br>" & _
 "Email: " & strEmail & "<BR>" & _
 "Newsletter: " & strNews & "<BR>"
 objmail.BodyFormat = 0
objmail.MailFormat = 0
objMail.Send
Set objMail = Nothing
%>

rgds

Misafi
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 9 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 9 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros