ASP Application Security: CDONTS.NEWMAIL

["David Litchfield" <david () nextgenss com>]

Howdy,
I've written a paper on a potential risk with using the CDONTS.NEWMAIL
object in Microsoft ASP applications running on Internet Information Server.
The paper discusses how an attacker can leverage an ASP page using the
CDONTS.NEWMAIL object to send arbitrary e-mails from the vulnerable web
server. The CDONTS.NEWMAIL object is used freqently to provide e-mail
functionality for pages such as feedback or contact forms and so ASP
developers should ensure that all client input be made safe before passing
it to any of the properties of the object. Paper available from
http://www.nextgenss.com/research.html .
Cheers,
David Litchfield