Many IIS web servers running ASP applications will use the CDONTS.NEWMAIL object to provide the functionality for feedback or contact forms. This paper will examine how the CDONTS.NEWMAIL object can be used by attackers to send arbitrary e-mails via the vulnerable web server and what must be done to prevent an online ASP application being abused in this way. This paper is written to show ASP developers the importance of client input validation and that without it even the most seemingly innocuous code can become dangerous.
Author: David Litchfield