Getting through captcha

This being for email pay particular attention to removing semicolons (;) as this can be used to list multiple email address for a single submission hack that will relay to 1000's of email addresses in one go.

The CAPTCHA code is stored in a session, once this has been submitted the session variable is destroyed so you have to generate a new CAPTCHA code and submit is again.

The JavaScript they use doesn't matter at all. The problem is your own code you posted before, it is VERY dangerous for  the reason that I listed earlier as you do not parse the user submitted data before you use it.

You need to go back to your own code and parse each and every piece of data submitted removing any malicious code before you use it. This has to be done server side, not using JavaScript.

You should never use Request("xxx") directly you should always place this into a variable and then parse the variable for malicious code before you use it.

Unless you have modified the CAPTCHA code they would only be able to submit the once before having to generate a new CAPTCHA code and entering it to be able to submit again.

It could well be that they are only submitting once to send the email 100's of times. I can see from your code that you are not parsing the user input and only using Request to get the data.

This is very dangerous as the data can be submitted using either GET or POST, also you are not parsing it to remove any malicious code.

The person submitting the malicious code could easily send a request to the server that contained 100's of email address. Most mail servers, if they receive a list of email addresses separated by a semicolon will send that email to ALL those email addresses in the list.

You should rewrite your code to only allow submissions using POST from a form. You should then also parse the data to remove any malicious code such as semicolons from the email_to field and also any tags < and > from all the fields submitted.

This is the very lease you should do to remove any malicious code as there are lots of different hacking techniques to get mail servers to relay on 1000's of emails just from a single form submission.


Edited by WebWiz-Bruce - 12 October 2009 at 12:27pm

Are you using CDOSYS to send the email?

If so you need to parse the data submitted.

For example you can include 100's of email address separated by a semicolon in the subject line CSDOSYS will send the email to each of these email addresses.

You can prevent this by parsing the data submitted for the subject line shortening the length to say 100 characters and removing any semicolons (;)

Using JavaScript to validate the form, or using the size of a textbox will not work as these are both client side and can easily be changed by turning off javascript in the browser and using a browser plugin to modify the form input fields.