Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
 Password:
Save Password
Forgot your Password?

 All Forums
 Snitz Forums 2000 DEV-Group
 DEV Bug Reports (Closed)
 FIXED: Fake mail sending from pop_mail.asp		  Forum Locked  Topic Locked
 Printer Friendly
Author Previous Topic Topic Next Topic  

Davio
Development Team Member

Jamaica
12217 Posts
Posted - 11 September 2006 :  03:42:56  Show Profile
There has been an issue with pop_mail.asp, that allowed persons to change their email address and user name that is sent in the email, which is different that what is in there profile.

Solution was to remove the hidden form fields that held the members email address and user name and retrieve this info after the form has been submitted, from the database.

In pop_mail.asp, find line 58 and add the code in green below it:
strRName = ChkString(rs("M_NAME"),"display")
<font color="green">strREmail = rs("M_EMAIL")
strRReceiveEmail = rs("M_RECEIVE_EMAIL")
 
rs.close
set rs = nothing</font id="green">

Find line 59 and change it to the following:
if mLev > 2 or <font color="green">strRReceiveEmail</font id="green"> = "1" then

Find line 62 and add the code in green below it and delete the code in red:
Err_Msg = ""
<font color="green">if mLev => 2 then
 strSql =  "SELECT M_NAME, M_USERNAME, M_EMAIL "
 strSql = strSql & " FROM " & strMemberTablePrefix & "MEMBERS"
 strSql = strSql & " WHERE MEMBER_ID = " & MemberID

 set rs2 = my_conn.Execute (strSql)
 YName = rs2("M_NAME")
 YEmail = rs2("M_EMAIL")
 set rs2 = nothing
else</font id="green">
 if Request.Form("YName") = "" then 
  Err_Msg = Err_Msg & "<li>You must enter your UserName</li>"
 end if
 if Request.Form("YEmail") = "" then 
  Err_Msg = Err_Msg & "<li>You Must give your e-mail address</li>"
 else
  if EmailField(Request.Form("YEmail")) = 0 then 
   Err_Msg = Err_Msg & "<li>You Must enter a valid e-mail address</li>"
  end if
 end if
 <font color="red">if Request.Form("Name") = "" then 
  Err_Msg = Err_Msg & "<li>You must enter the recipients name</li>"
 end if</font id="red">
<font color="green">end if</font id="green">


Change lines lines 82 - 87 with the following. Code in green was what was changed:
strRecipients = strREmail
strFrom = <font color="green">YEmail</font id="green"> 'Request.Form("YEmail")
strFromName = <font color="green">YName</font id="green"> 'Request.Form("YName")
strSubject = "Sent From " & strForumTitle & " by " & <font color="green">YName</font id="green"> 'Request.Form("YName")
strMessage = "Hello " & strRName & vbNewline & vbNewline
strMessage = strMessage & "You received the following message from: " & <font color="green">YName</font id="green"> & " (" & <font color="green">YEmail</font id="green"> & ") " & vbNewline & vbNewline


Change lines 111 - 114 to the following:
if <font color="green">trim(strREmail)</font id="green"> <> "" then
 strSql =  "SELECT M_NAME, M_USERNAME, M_EMAIL "
 strSql = strSql & " FROM " & strMemberTablePrefix & "MEMBERS"
 strSql = strSql & " WHERE <font color="green">MEMBER_ID = " & MemberID</font id="green">


Delete the folowing code in red from line 147:

" <td bgColor=""" & strPopUpTableColor & """><font face=""" & strDefaultFontFace & """ size=""" & strDefaultFontSize & """>" & strRName & "<font color="red"><input type=""hidden"" name=""Name"" value=""" & strRName & """></font id="red"></font></td>" & vbNewLine & _

Change lines 150 - 164 to the following:
"                <td bgColor=""" & strPopUpTableColor & """ align=""right"" nowrap><b><font face=""" & strDefaultFontFace & """ size=""" & strDefaultFontSize & """>Your Name:</font></b></td>" & vbNewLine & _
  "                <td bgColor=""" & strPopUpTableColor & """>"
if YName = "" then
 Response.Write "<input name=""YName"" type=""text"" value=""" & YName & """ size=""25"">"
else
 Response.Write "<font face=""" & strDefaultFontFace & """ size=""" & strDefaultFontSize & """>" & YName & "</font>" & vbNewLine
end if
Response.Write "              </td></tr>" & vbNewLine & _
  "              <tr>" & vbNewLine & _
  "                <td bgColor=""" & strPopUpTableColor & """ align=""right"" nowrap><b><font face=""" & strDefaultFontFace & """ size=""" & strDefaultFontSize & """>Your E-mail:</font></b></td>" & vbNewLine & _
  "                <td bgColor=""" & strPopUpTableColor & """>"
if YEmail = "" then
 Response.Write "<input name=""YEmail"" type=""text"" value=""" & YEmail & """ size=""25"">"
else
 Response.Write "<font face=""" & strDefaultFontFace & """ size=""" & strDefaultFontSize & """>" & YEmail & "</font>"
end if
Response.Write "</td>" & vbNewLine & _
  "              </tr>" & vbNewLine & _


Remove the following code from line 190:
set rs = nothing


These changes have been made in pop_mail.asp file in the 3.4.06 version.
You can consult that file if these instructions are little bit complicated.
Support Snitz Forums
Edited by - Davio on 26 September 2006 05:45:41
  Previous Topic Topic Next Topic  
 Forum Locked  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.12 seconds. Powered By: Snitz Forums 2000 Version 3.4.07