E-mail Notify problem with Comcast Addys

Post Reply

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
niugiovanni Members Profile Find Members Posts Groupie Joined: 20 July 2004 Status: Offline Points: 43	Post Options Post Reply Quote niugiovanni Report Post Thanks(0) Quote Reply Topic: E-mail Notify problem with Comcast Addys Posted: 09 August 2005 at 7:08pm
	I'm having some problems with my WebWiz forums not being able to mail out to Comcast Addresses. I've been through the code and can't seem to find the issue. An e-mail that is entered by the user as this: someone@comcast.net will actually be mailed by the software as this: someone @comcast.net It seems as the the "S" is being replaced by an "s" Anyone have any ideas or solutions? Thanks

dpyers Members Profile Find Members Posts Senior Member Joined: 12 May 2003 Status: Offline Points: 3937	Post Options Post Reply Quote dpyers Report Post Thanks(0) Quote Reply Posted: 09 August 2005 at 10:10pm
	The forum encodes certain character strings that users enter to prevent sql injection attacks. Might be a good idea to include functions/functions_filters.asp in functions/send_mail.asp and run the email address through the decodeString function before putting it in the "To" field of whatever email component you're using.
	Lead me not into temptation... I know the short cut, follow me.

JJLatWebWiz Members Profile Find Members Posts Groupie Joined: 02 March 2005 Location: United States Status: Offline Points: 136	Post Options Post Reply Quote JJLatWebWiz Report Post Thanks(0) Quote Reply Posted: 10 August 2005 at 12:00pm
	"cast" gets converted to "cast" to prevent the SQL function "CAST" from being injected. I found that the sendmail() function in pm_post_message.asp uses the decodeString() function to decode the username and email addresses. However, in email_messenger.asp, all the variables are sent to the sendmail() function raw. This is definitely a bug in 7.92 that seems to also exist at least as far back as 7.01. It seems to me that the best solution is to use the decodeString() function inside the sendmail() function itself. This more safely assumes the input is not sanitized. In functions_send_mail.asp (in the forum/functions folder and the forum/admin/functions folder), immediately below the line "Function SendMail(...), add the following: strRecipientEmailAddress = decodeString(strRecipientEmailAddress) strRecipientName = decodeString(strRecipientName) strFromEmailName = decodeString(strFromEmailName) strFromEmailAddress = decodeString(strFromEmailAddress) That should ensure that all the incoming data is restored before actually attempting to send mail.

niugiovanni Members Profile Find Members Posts Groupie Joined: 20 July 2004 Status: Offline Points: 43	Post Options Post Reply Quote niugiovanni Report Post Thanks(0) Quote Reply Posted: 10 August 2005 at 3:30pm
	Awesome Suggestion! Thanks so much. I figured it had to do with security but just couldn't find the reference. Thanks again! Gio

Post Reply

Forum Jump

Forum Permissions View Drop Down

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot delete your posts in this forum
You cannot edit your posts in this forum
You cannot create polls in this forum
You cannot vote in polls in this forum