malevolent form variables
am 21.01.2008 03:33:22 von nutso fasst
OK, I know of bad things that can happen when form variables are displayed
without filtering for HTML tags, but how can the contents of a form variable
take control of VB script code execution and delete a variable that contains
those contents plus other text?
I have a form-processing ASP page (VB script) that emails some form
variables using a component. The gist is something like this:
' build a variable that appears on the page:
items = Request.Form("item1") & "
" & Request.Form("item2")
' modify it for the email message:
mailer.body = "Items: " & Replace(items,,"
",vbNewLine) & vbNewLine _
& Request.ServerVariables("REMOTE_ADDR")
Given the above, even if the form is submitted with no data by user at IP
99.99.99.99, the email message should still be:
Items:
99.99.99.99
BUT recently, someone began submitting form data such that I received
totally blank emails - even REMOTE_ADDR was missing. I revised the VB Script
thusly:
emailbody = "Items: " & Replace(items,"
",vbNewLine) & vbNewLine
mailer.body = emailbody & vbNewLine & Len(emailbody) & vbNewLine _
& Request.ServerVariables("REMOTE_ADDR")
Now when this person submits form data, the email DOES contain the length of
emailbody and the REMOTE_ADDR. But, in spite of having text assigned to it,
the length of emailbody is ZERO! It sure looks like something in the form
variables is doing some dirty work.
IIS 4 with (AFAIK) all patches and hotfixes. IIS logs indicate the form data
is being submitted from the local form. How can this be happening?
nf
RE: malevolent form variables
am 21.01.2008 13:47:00 von AnthonyJones
"nutso fasst" wrote:
> OK, I know of bad things that can happen when form variables are displayed
> without filtering for HTML tags, but how can the contents of a form variable
> take control of VB script code execution and delete a variable that contains
> those contents plus other text?
>
> I have a form-processing ASP page (VB script) that emails some form
> variables using a component. The gist is something like this:
>
> ' build a variable that appears on the page:
>
> items = Request.Form("item1") & "
" & Request.Form("item2")
>
> ' modify it for the email message:
>
> mailer.body = "Items: " & Replace(items,,"
",vbNewLine) & vbNewLine _
> & Request.ServerVariables("REMOTE_ADDR")
>
> Given the above, even if the form is submitted with no data by user at IP
> 99.99.99.99, the email message should still be:
>
> Items:
>
> 99.99.99.99
>
> BUT recently, someone began submitting form data such that I received
> totally blank emails - even REMOTE_ADDR was missing. I revised the VB Script
> thusly:
>
> emailbody = "Items: " & Replace(items,"
",vbNewLine) & vbNewLine
> mailer.body = emailbody & vbNewLine & Len(emailbody) & vbNewLine _
> & Request.ServerVariables("REMOTE_ADDR")
>
> Now when this person submits form data, the email DOES contain the length of
> emailbody and the REMOTE_ADDR. But, in spite of having text assigned to it,
> the length of emailbody is ZERO! It sure looks like something in the form
> variables is doing some dirty work.
>
> IIS 4 with (AFAIK) all patches and hotfixes. IIS logs indicate the form data
> is being submitted from the local form. How can this be happening?
>
Does you code contain this line:-
On Error Resume Next
if so remove it and see if the line it generating an error.
--
Anthony Jones - MVP ASP/ASP.NET
Re: malevolent form variables
am 21.01.2008 19:54:50 von nutso fasst
"Anthony Jones" wrote in message
news:10D67E66-E93F-490D-A8AF-4BFF7BB3E2CD@microsoft.com...
> Does you code contain this line:-
>
> On Error Resume Next
Thanks for the suggestion, but there is no On Error statement.
nf