prevent email injection attack with classic ASP

crmpicco

04-11-2006, 10:48 AM

<%
sBodyText = vbNullString
sBodyText = sBodyText & "<html>"
sBodyText = sBodyText & "<body>"
sBodyText = sBodyText & "<table width=""600px"" border=""1"" bordercolor=""#000000"">"

sBodyText = sBodyText & "<tr>"
sBodyText = sBodyText & "<td bgcolor=""#999999"">"
sBodyText = sBodyText & "Email Correspondance from picco.co.uk"
sBodyText = sBodyText & "</td>"
sBodyText = sBodyText & "</tr>"

'... Display the Name of sender
sBodyText = sBodyText & "<tr>"
sBodyText = sBodyText & "<td bordercolor=""#FFFFFF"">"
sBodyText = sBodyText & "Name: <strong>" & sName & "</strong>"
sBodyText = sBodyText & "</td>"
sBodyText = sBodyText & "</tr>"

'... Display the Company (if applicable) of sender
sBodyText = sBodyText & "<tr>"
sBodyText = sBodyText & "<td bordercolor=""#FFFFFF"">"
sBodyText = sBodyText & "Company: <strong>" & sCompany & "</strong>"
sBodyText = sBodyText & "</td>"
sBodyText = sBodyText & "</tr>"

'... Display Email Address
sBodyText = sBodyText & "<tr>"
sBodyText = sBodyText & "<td bordercolor=""#FFFFFF"">"
sBodyText = sBodyText & "Email Address: <strong>"
sBodyText = sBodyText & "<a href=""mailto:"&sEmail&""">"
sBodyText = sBodyText & sEmail & "</a></strong>"
sBodyText = sBodyText & "</td>"
sBodyText = sBodyText & "</tr>"

'... Display Date and Time Email was sent
sBodyText = sBodyText & "<tr>"
sBodyText = sBodyText & "<td bordercolor=""#FFFFFF"">"
sBodyText = sBodyText & "Sent: <strong>" & FormatDateTime(date(),vbLongDate) & " at " & FormatDateTime(now(),vbShortTime) & "</strong>"
sBodyText = sBodyText & "</td>"
sBodyText = sBodyText & "</tr>"

sBodyText = sBodyText & "<tr>"
sBodyText = sBodyText & "<td bordercolor=""#FFFFFF""><hr /></td>"
sBodyText = sBodyText & "</tr>"

'... Display the Message sent
sBodyText = sBodyText & "<tr>"
sBodyText = sBodyText & "<td bordercolor=""#FFFFFF"">"&sMessage&"</td>"
sBodyText = sBodyText & "</tr>"

sBodyText = sBodyText & "</table>"
sBodyText = sBodyText & "</body>"
sBodyText = sBodyText & "</html>"

'... clear all current variables being used
sName = vbNullString
sCompany = vbNullString
sEmail = vbNullString
sMessage = vbNullString

Set myMail=CreateObject("CDO.Message")
myMail.Subject="Email Correspondance on "& FormatDateTime(date(),vblongdate) & " at " & FormatDateTime(now(),vbshorttime)
myMail.From="info@picco.co.uk"
myMail.To="cmorton@piccoro.co.uk"
myMail.HTMLBody=sBodyText '... the email message
myMail.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/sendusing")=2
'Name or IP of remote SMTP server
myMail.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserver") _
="smtp.picco.co.uk"
'Server Password
myMail.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/sendpassword") _
="piccoltd"
'Server port
myMail.Configuration.Fields.Item _
("http://schemas.microsoft.com/cdo/configuration/smtpserverport") _
=25
myMail.Configuration.Fields.Update
myMail.Send

sBodyText = vbNullString
Set myMail = Nothing
%>

this is my code to send an email in Classic ASP, how can i prevent an Email Injection Attack?

Picco

chud_wallice

04-11-2006, 11:47 AM

crmpicco

04-11-2006, 12:21 PM

no, it is a dummy name - thanks for that!

crmpicco

04-11-2006, 01:13 PM

thanks chud_wallice, i implemented that code and have SS email validation, are there any other avenues to look out for. i have been told hackers can access your server just from a drop-down menu.

chud_wallice

04-11-2006, 02:15 PM

Well if your page is at

http://www.yoursite.com/mycontactform.asp

and some 'nice' person wrote a page with a form that posts to yours, as long as the name attributes of the form elements are the same as yours, any information could be entered- even if it's not on your list.

You could implement regExp functions on your selects or the minimum security that my host requires is that you check the refering page.

More than one way but i tend to opt for the InStr function.

strReferer = request.servervariables("HTTP_REFERER")
If InStr(strReferer, "mydomain.com") = 0
' redirect, warn or whatever
end if

oracleguy

04-11-2006, 06:33 PM

Validate the user entered data using regular expressions.
i usually use a function something like this in an include file
and call it form the page that does the form processing

Function checkfname(strFname)
Dim objRegExp, blnValid, strErrFname
Set objRegExp = New RegExp
objRegExp.Pattern = "^\w{2,20}$"
blnValid = objRegExp.Test(strFname)
If NOT blnValid OR Len(strFname) = 0 Then
' not matched so user input is invalid
'
strErrFname = "check this field"
END IF
Set objRegExp = Nothing
End Function

the pattern here allows the user to enter between 2 and 20 alpha-numerics.
If the pattern does not match strErrFname is assigned the value "check this field" which you can output next to the offending field.

Hope that helps.

Here is a question though, when the server scans the email for header information does it all of to be continous? If not, your regex doesn't really stop an email injection attack. A more specific regex would be:

#(apparently\s*-\s*to)|(bcc)|(boundary)|(charset)|(content\s*-\s*disposition)|(content\s*-\s*type)|(content\s*-\s*transfer\s*-\s*encoding)|(errors\s*-\s*to)|(in\s*-\s*reply\s*-\s*to)|(message\s*-\s*id)|(mime\s*-\s*version)|(multipart\s*/\s*mixed)|(multipart\s*/\s*alternative)|(multipart\s*/\s*related)|(reply\s*-\s*to)|(x\s*-\s*mailer)|(x\s*-\s*sender)|(x\s*-\s*uidl)#is

And then this doesn't limit the input you can take to 20 characters.