malevolent form variables

Discussion in 'ASP General' started by nutso fasst, Jan 21, 2008.

  1. nutso fasst

    nutso fasst Guest

    OK, I know of bad things that can happen when form variables are displayed
    without filtering for HTML tags, but how can the contents of a form variable
    take control of VB script code execution and delete a variable that contains
    those contents plus other text?

    I have a form-processing ASP page (VB script) that emails some form
    variables using a component. The gist is something like this:

    ' build a variable that appears on the page:

    items = Request.Form("item1") & "<br>" & Request.Form("item2")

    ' modify it for the email message:

    mailer.body = "Items: " & Replace(items,,"<br>",vbNewLine) & vbNewLine _
    & Request.ServerVariables("REMOTE_ADDR")

    Given the above, even if the form is submitted with no data by user at IP
    99.99.99.99, the email message should still be:

    Items:

    99.99.99.99

    BUT recently, someone began submitting form data such that I received
    totally blank emails - even REMOTE_ADDR was missing. I revised the VB Script
    thusly:

    emailbody = "Items: " & Replace(items,"<br>",vbNewLine) & vbNewLine
    mailer.body = emailbody & vbNewLine & Len(emailbody) & vbNewLine _
    & Request.ServerVariables("REMOTE_ADDR")

    Now when this person submits form data, the email DOES contain the length of
    emailbody and the REMOTE_ADDR. But, in spite of having text assigned to it,
    the length of emailbody is ZERO! It sure looks like something in the form
    variables is doing some dirty work.

    IIS 4 with (AFAIK) all patches and hotfixes. IIS logs indicate the form data
    is being submitted from the local form. How can this be happening?

    nf
     
    nutso fasst, Jan 21, 2008
    #1
    1. Advertising

  2. "nutso fasst" wrote:

    > OK, I know of bad things that can happen when form variables are displayed
    > without filtering for HTML tags, but how can the contents of a form variable
    > take control of VB script code execution and delete a variable that contains
    > those contents plus other text?
    >
    > I have a form-processing ASP page (VB script) that emails some form
    > variables using a component. The gist is something like this:
    >
    > ' build a variable that appears on the page:
    >
    > items = Request.Form("item1") & "<br>" & Request.Form("item2")
    >
    > ' modify it for the email message:
    >
    > mailer.body = "Items: " & Replace(items,,"<br>",vbNewLine) & vbNewLine _
    > & Request.ServerVariables("REMOTE_ADDR")
    >
    > Given the above, even if the form is submitted with no data by user at IP
    > 99.99.99.99, the email message should still be:
    >
    > Items:
    >
    > 99.99.99.99
    >
    > BUT recently, someone began submitting form data such that I received
    > totally blank emails - even REMOTE_ADDR was missing. I revised the VB Script
    > thusly:
    >
    > emailbody = "Items: " & Replace(items,"<br>",vbNewLine) & vbNewLine
    > mailer.body = emailbody & vbNewLine & Len(emailbody) & vbNewLine _
    > & Request.ServerVariables("REMOTE_ADDR")
    >
    > Now when this person submits form data, the email DOES contain the length of
    > emailbody and the REMOTE_ADDR. But, in spite of having text assigned to it,
    > the length of emailbody is ZERO! It sure looks like something in the form
    > variables is doing some dirty work.
    >
    > IIS 4 with (AFAIK) all patches and hotfixes. IIS logs indicate the form data
    > is being submitted from the local form. How can this be happening?
    >


    Does you code contain this line:-

    On Error Resume Next

    if so remove it and see if the line it generating an error.

    --
    Anthony Jones - MVP ASP/ASP.NET
     
    Anthony Jones, Jan 21, 2008
    #2
    1. Advertising

  3. nutso fasst

    nutso fasst Guest

    "Anthony Jones" <> wrote in message
    news:...
    > Does you code contain this line:-
    >
    > On Error Resume Next


    Thanks for the suggestion, but there is no On Error statement.

    nf
     
    nutso fasst, Jan 21, 2008
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. avnrao
    Replies:
    0
    Views:
    3,370
    avnrao
    May 7, 2004
  2. Li Zhang
    Replies:
    4
    Views:
    6,089
    softip
    Feb 27, 2009
  3. Replies:
    9
    Views:
    961
  4. News Groups
    Replies:
    1
    Views:
    200
    Ray at
    Aug 11, 2004
  5. rob c
    Replies:
    4
    Views:
    336
    McKirahan
    Dec 30, 2005
Loading...

Share This Page