Microsoft.AspNetCore.Mvc.Localization.LocalizedHtmlStringNew Security Fix, Snitz 3.4.07

New Security Fix, Snitz 3.4.07

Printed from: Snitz™ Forums 2000
URL: https://forum.snitz.com/forumTopic/Posts/68812?pagenum=1
Printed on: 04 November 2025, 05:02

Topic

Author : ruirib
Subject : New Security Fix, Snitz 3.4.07
Posted : 29 July 2009, 07:05
Message :

There is a security related bug fix with register.asp. The issue is serious enough to compromise the security of a board. It affects version 3.4.07 only, since previous versions don't use the code with the security problem,

To fix the issue issue, in register.asp, replace lines#391-433:

Code:


              If strAutoLogon <> 1 then
			if Request.Form("Email") = "" then
				Err_Msg = Err_Msg & "<li>You Must give an e-mail address</li>"
			else
				'Comment out down to the next comment to let it take me@example.com and/or .ex as well
				'strsql = "SELECT SPAM_SERVER FROM " & strTablePrefix & "SPAM_MAIL WHERE SPAM_SERVER = '" & chkString(Request.Form("Email"),"sqlstring") & "'"
				'set rsSpam = my_Conn.Execute (strsql)
				
				'If Not rsSpam.EOF Then
				'	Err_Msg = Err_Msg & "<li>You cannot register with '" & chkString(Request.Form("Email"),"sqlstring") & "'.</li>"
				'End If 
				
				'Dim strMailTLD : strMailTLD = LCase(Mid(Request.Form("Email"),InStrRev(Request.Form("Email"),".")))
				
				'strsql = "SELECT SPAM_SERVER FROM " & strTablePrefix & "SPAM_MAIL WHERE SPAM_SERVER = '" & strMailTLD & "'"
				'set rsSpam = my_Conn.Execute (strsql)
				
				'If Not rsSpam.EOF Then
				'	Err_Msg = Err_Msg & "<li>You cannot register with a '" & strMailTLD & "' email address.</li>"
				'End If 
				'Comment out up to the previous comment to let it take me@example.com and/or .ex as well
				
				Dim strMailDomain : strMailDomain = LCase(Mid(Request.Form("Email"),InStrRev(Request.Form("Email"),"@")))
				
				strsql = "SELECT SPAM_SERVER FROM " & strTablePrefix & "SPAM_MAIL WHERE SPAM_SERVER = '" & strMailDomain & "'"
				set rsSpam = my_Conn.Execute (strsql)
				
				If Not rsSpam.EOF Then
					Err_Msg = Err_Msg & "<li>You cannot register with an '" & strMailDomain & "' email address.</li>"
				End If 
				
				rsSpam.close
				Set rsSpam = Nothing
			end if
			
			if Request.Form("Email") <> Request.Form("Email3") then
				Err_Msg = Err_Msg & "<li>Your E-mail Addresses didn't match.</li>"
			end if

			if EmailField(Request.Form("Email")) = 0 then 
				Err_Msg = Err_Msg & "<li>You Must enter a valid e-mail address</li>"
			end if
		end if

with

Code:


             If strAutoLogon <> 1 Then
			if EmailField(Request.Form("Email")) = 0 then 
				Err_Msg = Err_Msg & "<li>You Must enter a valid e-mail address</li>"
			elseif Request.Form("Email") = "" then
				Err_Msg = Err_Msg & "<li>You Must give an e-mail address</li>"
			else				
				Dim strMailDomain : strMailDomain = LCase(Mid(Request.Form("Email"),InStrRev(Request.Form("Email"),"@")))
				
				strsql = "SELECT SPAM_SERVER FROM " & strTablePrefix & "SPAM_MAIL WHERE SPAM_SERVER = '" & strMailDomain & "'"
				set rsSpam = my_Conn.Execute (strsql)
				
				If Not rsSpam.EOF Then
					Err_Msg = Err_Msg & "<li>You cannot register with an '" & strMailDomain & "' email address.</li>"
				End If 
				
				rsSpam.close
				Set rsSpam = Nothing
			end if
			
			if Request.Form("Email") <> Request.Form("Email3") then
				Err_Msg = Err_Msg & "<li>Your E-mail Addresses didn't match.</li>"
			end if


		end if

Any questions about this issue, please post at the General Help, Current version forum.