Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6
  1. #1
    Senior Coder crmpicco's Avatar
    Join Date
    Jan 2005
    Location
    Mauchline, Scotland
    Posts
    1,097
    Thanks
    15
    Thanked 1 Time in 1 Post

    prevent email injection attack with classic ASP

    Code:
    <%
    	sBodyText = vbNullString
    	sBodyText = sBodyText & "<html>"
    		sBodyText = sBodyText & "<body>"
    			sBodyText = sBodyText & "<table width=""600px"" border=""1"" bordercolor=""#000000"">"
    			
    				sBodyText = sBodyText & "<tr>"
    					sBodyText = sBodyText & "<td bgcolor=""#999999"">"
    					sBodyText = sBodyText & "Email Correspondance from picco.co.uk"
    					sBodyText = sBodyText & "</td>"
    				sBodyText = sBodyText & "</tr>"
    				
    				'... Display the Name of sender
    				sBodyText = sBodyText & "<tr>"
    					sBodyText = sBodyText & "<td bordercolor=""#FFFFFF"">"
    					sBodyText = sBodyText & "Name: <strong>" & sName & "</strong>"
    					sBodyText = sBodyText & "</td>"
    				sBodyText = sBodyText & "</tr>"
    				
    				'... Display the Company (if applicable) of sender
    				sBodyText = sBodyText & "<tr>"
    					sBodyText = sBodyText & "<td bordercolor=""#FFFFFF"">"
    					sBodyText = sBodyText & "Company: <strong>" & sCompany & "</strong>"
    					sBodyText = sBodyText & "</td>"
    				sBodyText = sBodyText & "</tr>"
    				
    				'... Display Email Address
    				sBodyText = sBodyText & "<tr>"
    					sBodyText = sBodyText & "<td bordercolor=""#FFFFFF"">"
    					sBodyText = sBodyText & "Email Address: <strong>"
    					sBodyText = sBodyText & "<a href=""mailto:"&sEmail&""">"
    					sBodyText = sBodyText & sEmail & "</a></strong>"
    					sBodyText = sBodyText & "</td>"
    				sBodyText = sBodyText & "</tr>"
    				
    				'... Display Date and Time Email was sent
    				sBodyText = sBodyText & "<tr>"
    					sBodyText = sBodyText & "<td bordercolor=""#FFFFFF"">"
    					sBodyText = sBodyText & "Sent: <strong>" & FormatDateTime(date(),vbLongDate) & " at " & FormatDateTime(now(),vbShortTime) & "</strong>"
    					sBodyText = sBodyText & "</td>"
    				sBodyText = sBodyText & "</tr>"
    				
    				sBodyText = sBodyText & "<tr>"
    					sBodyText = sBodyText & "<td bordercolor=""#FFFFFF""><hr /></td>"
    				sBodyText = sBodyText & "</tr>"
    				
    				'... Display the Message sent
    				sBodyText = sBodyText & "<tr>"
    					sBodyText = sBodyText & "<td bordercolor=""#FFFFFF"">"&sMessage&"</td>"
    				sBodyText = sBodyText & "</tr>"
    				
    			sBodyText = sBodyText & "</table>"
    		sBodyText = sBodyText & "</body>"
    	sBodyText = sBodyText & "</html>"
    	
    	'... clear all current variables being used
    	sName = vbNullString
    	sCompany = vbNullString
    	sEmail = vbNullString
    	sMessage = vbNullString
    
    
    	Set myMail=CreateObject("CDO.Message")
    	myMail.Subject="Email Correspondance on "& FormatDateTime(date(),vblongdate) & " at " & FormatDateTime(now(),vbshorttime)
    	myMail.From="info@picco.co.uk"
    	myMail.To="cmorton@piccoro.co.uk"
    	myMail.HTMLBody=sBodyText '... the email message
    	myMail.Configuration.Fields.Item _
    	("http://schemas.microsoft.com/cdo/configuration/sendusing")=2
    	'Name or IP of remote SMTP server
    	myMail.Configuration.Fields.Item _
    	("http://schemas.microsoft.com/cdo/configuration/smtpserver") _
    	="smtp.picco.co.uk"
    	'Server Password
    	myMail.Configuration.Fields.Item _
    	("http://schemas.microsoft.com/cdo/configuration/sendpassword") _
    	="piccoltd"
    	'Server port
    	myMail.Configuration.Fields.Item _
    	("http://schemas.microsoft.com/cdo/configuration/smtpserverport") _
    	=25 
    	myMail.Configuration.Fields.Update
    	myMail.Send
    	
    	sBodyText = vbNullString
    	Set myMail = Nothing
    %>
    this is my code to send an email in Classic ASP, how can i prevent an Email Injection Attack?

    Picco

  • #2
    New Coder
    Join Date
    Mar 2005
    Posts
    50
    Thanks
    0
    Thanked 2 Times in 2 Posts

    regular expressions

    Validate the user entered data using regular expressions.
    i usually use a function something like this in an include file
    and call it form the page that does the form processing


    Code:
    Function checkfname(strFname)
    		Dim objRegExp, blnValid, strErrFname
    		Set objRegExp = New RegExp
    		objRegExp.Pattern = "^\w{2,20}$"
    		blnValid = objRegExp.Test(strFname)
    		If NOT blnValid OR Len(strFname) = 0 Then
    					' not matched so user input is invalid
                                            ' 
                      strErrFname = "check this field"
    		END IF
     			 Set objRegExp = Nothing 	
    	End Function
    the pattern here allows the user to enter between 2 and 20 alpha-numerics.
    If the pattern does not match strErrFname is assigned the value "check this field" which you can output next to the offending field.

    Hope that helps.

    if you have really just posted your email server password on the internet i would change it now.
    see the munki click- was that so random?

  • #3
    Senior Coder crmpicco's Avatar
    Join Date
    Jan 2005
    Location
    Mauchline, Scotland
    Posts
    1,097
    Thanks
    15
    Thanked 1 Time in 1 Post
    no, it is a dummy name - thanks for that!

  • #4
    Senior Coder crmpicco's Avatar
    Join Date
    Jan 2005
    Location
    Mauchline, Scotland
    Posts
    1,097
    Thanks
    15
    Thanked 1 Time in 1 Post
    thanks chud_wallice, i implemented that code and have SS email validation, are there any other avenues to look out for. i have been told hackers can access your server just from a drop-down menu.

  • #5
    New Coder
    Join Date
    Mar 2005
    Posts
    50
    Thanks
    0
    Thanked 2 Times in 2 Posts

    check the referer

    Well if your page is at

    http://www.yoursite.com/mycontactform.asp

    and some 'nice' person wrote a page with a form that posts to yours, as long as the name attributes of the form elements are the same as yours, any information could be entered- even if it's not on your list.

    You could implement regExp functions on your selects or the minimum security that my host requires is that you check the refering page.

    More than one way but i tend to opt for the InStr function.
    Code:
     strReferer = request.servervariables("HTTP_REFERER")
           If InStr(strReferer, "mydomain.com") = 0
              ' redirect, warn or whatever
            end if
    see the munki click- was that so random?

  • #6
    Rockstar Coder
    Join Date
    Jun 2002
    Location
    USA
    Posts
    9,074
    Thanks
    1
    Thanked 328 Times in 324 Posts
    Quote Originally Posted by chud_wallice
    Validate the user entered data using regular expressions.
    i usually use a function something like this in an include file
    and call it form the page that does the form processing


    Code:
    Function checkfname(strFname)
    		Dim objRegExp, blnValid, strErrFname
    		Set objRegExp = New RegExp
    		objRegExp.Pattern = "^\w{2,20}$"
    		blnValid = objRegExp.Test(strFname)
    		If NOT blnValid OR Len(strFname) = 0 Then
    					' not matched so user input is invalid
                                            ' 
                      strErrFname = "check this field"
    		END IF
     			 Set objRegExp = Nothing 	
    	End Function
    the pattern here allows the user to enter between 2 and 20 alpha-numerics.
    If the pattern does not match strErrFname is assigned the value "check this field" which you can output next to the offending field.

    Hope that helps.
    Here is a question though, when the server scans the email for header information does it all of to be continous? If not, your regex doesn't really stop an email injection attack. A more specific regex would be:

    Code:
    #(apparently\s*-\s*to)|(bcc)|(boundary)|(charset)|(content\s*-\s*disposition)|(content\s*-\s*type)|(content\s*-\s*transfer\s*-\s*encoding)|(errors\s*-\s*to)|(in\s*-\s*reply\s*-\s*to)|(message\s*-\s*id)|(mime\s*-\s*version)|(multipart\s*/\s*mixed)|(multipart\s*/\s*alternative)|(multipart\s*/\s*related)|(reply\s*-\s*to)|(x\s*-\s*mailer)|(x\s*-\s*sender)|(x\s*-\s*uidl)#is
    And then this doesn't limit the input you can take to 20 characters.
    OracleGuy


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •