Is .net vulnerable to this spam attack.

Discussion in 'ASP .Net' started by vMike, Sep 13, 2005.

  1. vMike

    vMike Guest

    http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay

    Here is a snip from the above link.

    .... attacker is hoping to exploit unchecked fields in a "web to email" form.
    The attack works by assuming a field used in an email header (such as the
    "From:" address or the "Subject:") is passed unchecked to the mail
    subsystem. Appending a newline character and a few more carefully crafted
    header lines with a BCC list and a spam message body might trick the
    underlying mail system into relaying spam for the attacker. An initial test
    sending a BCC copy to has been used on most forms
    on my site to phish for vulnerable scripts. If you run a site, you should
    check and strip fields for carriage return and newline characters used
    directly in email headers.

    ...
    I tested my forms and they seems to be finel, but was wondering if anyone
    knows where asp.net is vulnerable to this atack.
    I use SmtpMail.Send and I htmlencode all fields on the form.

    Mike
     
    vMike, Sep 13, 2005
    #1
    1. Advertising

  2. ASP.Net is NOT vulnerable to this attack. ASP.Net generates HTML, and
    processes ASP.Net forms. It can spit out any HTML you want it to, and handle
    the forms any way you want it to. IOW, ASP.Net is not at fault if a
    developer doesn't implement the correct type of validation for his/her
    forms.

    --
    HTH,

    Kevin Spencer
    Microsoft MVP
    ..Net Developer
    Neither a follower nor a lender be.

    "vMike" <> wrote in message
    news:tQFVe.11325$...
    >
    > http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay
    >
    > Here is a snip from the above link.
    >
    > ... attacker is hoping to exploit unchecked fields in a "web to email"
    > form.
    > The attack works by assuming a field used in an email header (such as the
    > "From:" address or the "Subject:") is passed unchecked to the mail
    > subsystem. Appending a newline character and a few more carefully crafted
    > header lines with a BCC list and a spam message body might trick the
    > underlying mail system into relaying spam for the attacker. An initial
    > test
    > sending a BCC copy to has been used on most
    > forms
    > on my site to phish for vulnerable scripts. If you run a site, you should
    > check and strip fields for carriage return and newline characters used
    > directly in email headers.
    >
    > ..
    > I tested my forms and they seems to be finel, but was wondering if anyone
    > knows where asp.net is vulnerable to this atack.
    > I use SmtpMail.Send and I htmlencode all fields on the form.
    >
    > Mike
    >
    >
     
    Kevin Spencer, Sep 13, 2005
    #2
    1. Advertising

  3. vMike

    darrel Guest

    > ASP.Net is NOT vulnerable to this attack. ASP.Net generates HTML, and
    > processes ASP.Net forms. It can spit out any HTML you want it to, and

    handle
    > the forms any way you want it to. IOW, ASP.Net is not at fault if a
    > developer doesn't implement the correct type of validation for his/her
    > forms.


    Guns don't kill people, people do? ;o)

    My (limited) understanding is that this type of attack (an email injection)
    isn't existant on the .net platform due to the way .net handles the sending
    of email. In PHP, I think the fields are sent directly as headers, where in
    ..net they aren't. But that's all just my limited understanding of the
    situation.

    Kevin is right, it makes sense to get in the habit of doing thorough
    validation. Strip out all line breaks and extraneous @ symbols in the
    TO/FROM fields for starters.

    -Darrel
     
    darrel, Sep 13, 2005
    #3
  4. vMike

    Bruce Barker Guest

    that is to say .net is only vulnerable to this attack (or others like sql
    injection) if the site is not coded properly. .net does not prevent these
    coding errors.

    -- bruce (sqlwork.com)


    "Kevin Spencer" <> wrote in message
    news:%...
    > ASP.Net is NOT vulnerable to this attack. ASP.Net generates HTML, and
    > processes ASP.Net forms. It can spit out any HTML you want it to, and
    > handle the forms any way you want it to. IOW, ASP.Net is not at fault if a
    > developer doesn't implement the correct type of validation for his/her
    > forms.
    >
    > --
    > HTH,
    >
    > Kevin Spencer
    > Microsoft MVP
    > .Net Developer
    > Neither a follower nor a lender be.
    >
    > "vMike" <> wrote in message
    > news:tQFVe.11325$...
    >>
    >> http://www.anders.com/cms/75/Crack.Attempt/Spam.Relay
    >>
    >> Here is a snip from the above link.
    >>
    >> ... attacker is hoping to exploit unchecked fields in a "web to email"
    >> form.
    >> The attack works by assuming a field used in an email header (such as the
    >> "From:" address or the "Subject:") is passed unchecked to the mail
    >> subsystem. Appending a newline character and a few more carefully crafted
    >> header lines with a BCC list and a spam message body might trick the
    >> underlying mail system into relaying spam for the attacker. An initial
    >> test
    >> sending a BCC copy to has been used on most
    >> forms
    >> on my site to phish for vulnerable scripts. If you run a site, you
    >> should
    >> check and strip fields for carriage return and newline characters used
    >> directly in email headers.
    >>
    >> ..
    >> I tested my forms and they seems to be finel, but was wondering if anyone
    >> knows where asp.net is vulnerable to this atack.
    >> I use SmtpMail.Send and I htmlencode all fields on the form.
    >>
    >> Mike
    >>
    >>

    >
    >
     
    Bruce Barker, Sep 14, 2005
    #4
  5. Kevin Spencer wrote:
    > ASP.Net is NOT vulnerable to this attack. ASP.Net generates HTML, and
    > processes ASP.Net forms. It can spit out any HTML you want it to, and
    > handle the forms any way you want it to. IOW, ASP.Net is not at fault
    > if a developer doesn't implement the correct type of validation for
    > his/her forms.
    >


    That's very true, but it's also important to realize that there is code in
    ASP.NET itself to validate requests via the ValidateRequest property.
    However, Microsoft recommends that you also validate form data.

    Here's more information:

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000003.asp

    --
    Jim Cheshire
    JIMCO Software
    http://www.jimcosoftware.com

    FrontPage add-ins for FrontPage 2000 - 2003
     
    JIMCO Software, Sep 14, 2005
    #5
  6. vMike

    vMike Guest

    "JIMCO Software" <> wrote in message
    news:...
    > Kevin Spencer wrote:
    >> ASP.Net is NOT vulnerable to this attack. ASP.Net generates HTML, and
    >> processes ASP.Net forms. It can spit out any HTML you want it to, and
    >> handle the forms any way you want it to. IOW, ASP.Net is not at fault
    >> if a developer doesn't implement the correct type of validation for
    >> his/her forms.
    >>

    >
    > That's very true, but it's also important to realize that there is code in
    > ASP.NET itself to validate requests via the ValidateRequest property.
    > However, Microsoft recommends that you also validate form data.
    >
    > Here's more information:
    >
    > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000003.asp
    >
    > --
    > Jim Cheshire
    > JIMCO Software
    > http://www.jimcosoftware.com
    >
    > FrontPage add-ins for FrontPage 2000 - 2003
    >
    >

    Thanks for the feedback. I do regex validate the from email address but only
    client side and validate the domain name serverside based on the first @ to
    the end, so if there is more than one @ then the page won't process the
    email server side. The To address is not shown and the subject and body are
    htmlencoded. The only think I need to tighten up is to redo the regex email
    validation server side in case someone bypassed the client side validaton.
    Thanks agiain.
    Mike
     
    vMike, Sep 14, 2005
    #6
  7. > Guns don't kill people, people do? ;o)

    Well, my Uncle Chutney sez "Guns don't kill people, and people don't kill
    people either. Ideas kill people."

    Whatever that means!

    ;-)

    Kevin Spencer
    Microsoft MVP
    ..Net Developer
    Neither a follower nor a lender be.

    "darrel" <> wrote in message
    news:%...
    >> ASP.Net is NOT vulnerable to this attack. ASP.Net generates HTML, and
    >> processes ASP.Net forms. It can spit out any HTML you want it to, and

    > handle
    >> the forms any way you want it to. IOW, ASP.Net is not at fault if a
    >> developer doesn't implement the correct type of validation for his/her
    >> forms.

    >
    > Guns don't kill people, people do? ;o)
    >
    > My (limited) understanding is that this type of attack (an email
    > injection)
    > isn't existant on the .net platform due to the way .net handles the
    > sending
    > of email. In PHP, I think the fields are sent directly as headers, where
    > in
    > .net they aren't. But that's all just my limited understanding of the
    > situation.
    >
    > Kevin is right, it makes sense to get in the habit of doing thorough
    > validation. Strip out all line breaks and extraneous @ symbols in the
    > TO/FROM fields for starters.
    >
    > -Darrel
    >
    >
     
    Kevin Spencer, Sep 14, 2005
    #7
  8. vMike

    Hans Kesting Guest

    vMike wrote:
    > "JIMCO Software" <> wrote in message
    > news:...
    >> Kevin Spencer wrote:
    >>> ASP.Net is NOT vulnerable to this attack. ASP.Net generates HTML,
    >>> and processes ASP.Net forms. It can spit out any HTML you want it
    >>> to, and handle the forms any way you want it to. IOW, ASP.Net is
    >>> not at fault if a developer doesn't implement the correct type of
    >>> validation for his/her forms.
    >>>

    >>
    >> That's very true, but it's also important to realize that there is
    >> code in ASP.NET itself to validate requests via the ValidateRequest
    >> property. However, Microsoft recommends that you also validate form
    >> data. Here's more information:
    >>
    >> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000003.asp
    >>
    >> --
    >> Jim Cheshire
    >> JIMCO Software
    >> http://www.jimcosoftware.com
    >>
    >> FrontPage add-ins for FrontPage 2000 - 2003
    >>
    >>

    > Thanks for the feedback. I do regex validate the from email address
    > but only client side and validate the domain name serverside based on
    > the first @ to the end, so if there is more than one @ then the page
    > won't process the email server side. The To address is not shown and
    > the subject and body are htmlencoded. The only think I need to
    > tighten up is to redo the regex email validation server side in case
    > someone bypassed the client side validaton. Thanks agiain.
    > Mike


    If I understand correctly, when you use a .Net validator, the code is not
    only run client-side, but *also* server-side, to prevent bypassing.
    If you built you own validating script, then you will have to check server-side yourself.

    Hans Kesting
     
    Hans Kesting, Sep 14, 2005
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rene Pijlman
    Replies:
    22
    Views:
    734
    Fredrik Lundh
    Dec 10, 2003
  2. Lalatendu Das

    Is void* vulnerable

    Lalatendu Das, Feb 9, 2007, in forum: C Programming
    Replies:
    30
    Views:
    949
    Dietmar Schindler
    Feb 20, 2007
  3. clamz
    Replies:
    8
    Views:
    809
    clamz
    Jul 16, 2011
  4. Carsten Eckelmann

    Spam attack on Ruby-Garden

    Carsten Eckelmann, May 16, 2004, in forum: Ruby
    Replies:
    2
    Views:
    91
    Nicholas Van Weerdenburg
    May 17, 2004
  5. unni.tallman

    Ruby Sockets Vulnerable?

    unni.tallman, Oct 20, 2006, in forum: Ruby
    Replies:
    1
    Views:
    79
    Robert Klemme
    Oct 20, 2006
Loading...

Share This Page