AOH :: Web :: IIS :: WEB4994.HTM

AOH :: Web :: IIS :: WEB4994.HTM
IIS Asp CDONTS.NEWMAIL server side script maybe fooled to send forged e-mails

14th Jan 2002 [SBWID-4994]

COMMAND

	IIS Asp CDONTS.NEWMAIL server side script maybe fooled  to  send  forged
	e-mails

SYSTEMS AFFECTED

	IIS 5.0 ??

PROBLEM

	From David Litchfield advisory [www.ngssoftware.com] :
	

	The CDONTS.NEWMAIL used in many ASP based forums does not handle  %0D%0A
	(newline) stripping from  arguments.  Hence  it  is  possible  to  forge
	e-mail\'s via simple mail commands emmbeded in the arguments  passed  to
	CDONTS.NEWMAIL.
	

	 Sample :

	 ========

	

	http://victim/bad_with_email_tag.asp?email=target@dot.com%0D%0Adata%0D%0ASubject:%20Spoofed!%0D%0A%0D%0AHi,%0D%0AThis%20is%20a%20spoofed%20email%0D%0A.%0D%0Aquit%0D%0A

	

SOLUTION

	Strip  \"newline\"  chars  from  arguments  before  feeding  CDONTS  asp
	scripts

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better). Site design & layout copyright © 1986-2009 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.