An example of an unsafe web form

During my investigations into the configuration of a website and looking into the various methods of providing a feedback mechanism, I came across an example that illustrated how a web form could reveal information that you did not want revealed.

Although the information was visible on my computer screen, and it normally would have been hidden, it would have been easy to reveal it by looking at the source for the webpage. This is if the script had not been linked from a page that was in a protected directory.

MessageBody = MessageBody & "Message: " & Trim(Request.Form("message")) '
change to address of your own SMTP server strHost =
"mail.oneworldsafedisk.com" If Request("Submit") <> "" Then Set Mail =

Server.CreateObject("Persits.MailSender") ' enter valid SMTP host Mail.Host =
strHost Mail.Username = "contact@oneworldsafedisk.com" Mail.Password =
"r@pevan" Mail.From = "contact@oneworldsafedisk.com" Mail.FromName =
"OneWorld SafeDisk" Mail.AddAddress "terry.bradshaw@radmediacorp.com"
'Mail.AddAddress "robert.douglas@oneworldoffice.com" Mail.AddAddress
"robert.siemons@radmediacorp.com" Mail.AddAddress
"wayne.mcalpine@oneworldoffice.com" Mail.AddAddress
"formlog@oneworldoffice.com" ' message subject Mail.Subject = "OneWorld
SafeDisk - Contact Us

The text above was echoed back in my web browser when I pressed the "Submit" button on a web form that had a script that had not been fully debugged. The information is from the hidden fields within the form, these should never be visible to a visitor to a website.

 I posted the text as it appeared on my screen.

• Unsafe web forms
• Scripts in general