I am hosting a few websites on a win2003 server (fully patched) / IIS6.  Eac
h
site has forms that when filled out use CDOSYS to email info to users inside
the company.  Everything works great.

Are there any CDOSYS vulnerabilities that a spammer could use to take
advantage of those forms to spam people?  If so, is there anything I can to
do lock them down?

Your advice and experiences would be very appreciated.

[ Post a follow-up to this message ]

"Rusty" <Rusty@discussions.microsoft.com> ha scritto nel messaggio
news:D126AF3A-93F6-4BF8-ACBF-25387423D8F6@microsoft.com...

Hi

>I am hosting a few websites on a win2003 server (fully patched) / IIS6.
>Each
> site has forms that when filled out use CDOSYS to email info to users
> inside
> the company.  Everything works great.
>
> Are there any CDOSYS vulnerabilities that a spammer could use to take
> advantage of those forms to spam people?  If so, is there anything I can
> to
> do lock them down?
>
> Your advice and experiences would be very appreciated.

I suggest to read this document
http://support.microsoft.com/defaul...kb;en-us;324281


--
Christian Paparelli
http://www.ithost.ch

[ Post a follow-up to this message ]

Thanks.  Fortunately I have disabled the smtp virtual server on my webserver
.
My forms connect to an Exchange server to send the mail.  Great care has
been taken to make sure it is not an open relay.

My question is specifically about CDOSYS.  Can someone exploit my form to
take advantage of CDOSYS and the info it uses to connect to an SMTP server t
o
start sending unsolicited email?

"Christian Paparelli" wrote:

> "Rusty" <Rusty@discussions.microsoft.com> ha scritto nel messaggio
> news:D126AF3A-93F6-4BF8-ACBF-25387423D8F6@microsoft.com...
>
> Hi
> 
>
> I suggest to read this document
> http://support.microsoft.com/defaul...kb;en-us;324281
>
>
> --
> Christian Paparelli
> http://www.ithost.ch
>
>

[ Post a follow-up to this message ]

Hi,

Rusty wrote:
> Are there any CDOSYS vulnerabilities that a spammer could use
> to take advantage of those forms to spam people?  If so, is there
> anything I can to do lock them down?

The vulnerability potential, if any, would be in your form design, not
CDOSYS.  If it is possible to somehow feed destination addresses to your
form, it is possible to use it to send spam -- although I doubt spammers
often go through such lengths.  One example of novice approach with a wide
open hole would be a form with a dropdown for recipient selection, where the
email addresses are embedded in the dropdown's option values and used
unchecked on postback.

If you have any doubts about this, have a competent programmer look over
your forms.

--
Chris Priede

[ Post a follow-up to this message ]