malevolent form variables

N

nutso fasst

OK, I know of bad things that can happen when form variables are displayed
without filtering for HTML tags, but how can the contents of a form variable
take control of VB script code execution and delete a variable that contains
those contents plus other text?

I have a form-processing ASP page (VB script) that emails some form
variables using a component. The gist is something like this:

' build a variable that appears on the page:

items = Request.Form("item1") & "<br>" & Request.Form("item2")

' modify it for the email message:

mailer.body = "Items: " & Replace(items,,"<br>",vbNewLine) & vbNewLine _
& Request.ServerVariables("REMOTE_ADDR")

Given the above, even if the form is submitted with no data by user at IP
99.99.99.99, the email message should still be:

Items:

99.99.99.99

BUT recently, someone began submitting form data such that I received
totally blank emails - even REMOTE_ADDR was missing. I revised the VB Script
thusly:

emailbody = "Items: " & Replace(items,"<br>",vbNewLine) & vbNewLine
mailer.body = emailbody & vbNewLine & Len(emailbody) & vbNewLine _
& Request.ServerVariables("REMOTE_ADDR")

Now when this person submits form data, the email DOES contain the length of
emailbody and the REMOTE_ADDR. But, in spite of having text assigned to it,
the length of emailbody is ZERO! It sure looks like something in the form
variables is doing some dirty work.

IIS 4 with (AFAIK) all patches and hotfixes. IIS logs indicate the form data
is being submitted from the local form. How can this be happening?

nf
 
A

Anthony Jones

nutso fasst said:
OK, I know of bad things that can happen when form variables are displayed
without filtering for HTML tags, but how can the contents of a form variable
take control of VB script code execution and delete a variable that contains
those contents plus other text?

I have a form-processing ASP page (VB script) that emails some form
variables using a component. The gist is something like this:

' build a variable that appears on the page:

items = Request.Form("item1") & "<br>" & Request.Form("item2")

' modify it for the email message:

mailer.body = "Items: " & Replace(items,,"<br>",vbNewLine) & vbNewLine _
& Request.ServerVariables("REMOTE_ADDR")

Given the above, even if the form is submitted with no data by user at IP
99.99.99.99, the email message should still be:

Items:

99.99.99.99

BUT recently, someone began submitting form data such that I received
totally blank emails - even REMOTE_ADDR was missing. I revised the VB Script
thusly:

emailbody = "Items: " & Replace(items,"<br>",vbNewLine) & vbNewLine
mailer.body = emailbody & vbNewLine & Len(emailbody) & vbNewLine _
& Request.ServerVariables("REMOTE_ADDR")

Now when this person submits form data, the email DOES contain the length of
emailbody and the REMOTE_ADDR. But, in spite of having text assigned to it,
the length of emailbody is ZERO! It sure looks like something in the form
variables is doing some dirty work.

IIS 4 with (AFAIK) all patches and hotfixes. IIS logs indicate the form data
is being submitted from the local form. How can this be happening?

Does you code contain this line:-

On Error Resume Next

if so remove it and see if the line it generating an error.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,901
Latest member
Noble71S45

Latest Threads

Top