ASP.NET中的SMTP头注入？

我的ASP.NET网站有一个全局错误处理程序,当Web应用程序中出现任何类型的错误时,它会向我(以及另一个开发人员)发送电子邮件.我们最近收到一条错误,其中包含我们从未听说过的电子邮件地址的CC.可怕的是,发送错误电子邮件的开发人员列表在编译的ASP.NET代码中进行了硬编码.我们没有看到如何添加CC.

我们也非常怀疑犯规行为,因为导致错误的请求是尝试使用我们的某个表单发送垃圾邮件.发送请求的IP地址也列在http://www.projecthoneypot.org/上.

我们现在最好的猜测是,请求在某种程度上是错误的,它在电子邮件中注入了CC标头.问题是我们无法弄清楚如何做到这一点.我们正在使用System.Net.Mail发送电子邮件,它似乎可以防止这种情况. MailMessage对象的主题只接受一行,因此您不会创建带有CC行的多行主题.在MailMessage中设置to和cc地址似乎非常强大.我无法看到如何在消息正文中添加CC标头.我找不到任何关于此的信息,我很想知道这是否是一个真正的问题.

编辑：有人要求代码.它有点长,但它是：

public class Global : System.Web.HttpApplication
{
    protected void Application_Error(Object sender,EventArgs e)
    {
        // Get the last exception.
        Exception objException = Server.GetLastError();
 
        // Work out the error details based on the exception.
        string ErrorType = "";
        string ErrorDescription = "";
        string ErrorHtml = "";
 
        if (objException == null)
        {
            // This should never occur.
            ErrorType = "Unknown Error";
            ErrorDescription = "Unknown Error";
        }
        else if (objException.GetType() == typeof(HttpException))
        {
            // This will occur when the ASP.NET engine throws a HttpException.
            HttpException objHttpException = objException as HttpException;
            if (objHttpException.GetHttpCode() == 404)
            {
                string Resource = Globals.GetFullUrl(this.Context);
                Server.ClearError();
                Response.Redirect("/ResourceNotFound.aspx?BadUrl=" + Server.UrlEncode(Resource));
                return;
            }
            else
            {
                ErrorType = objHttpException.GetHttpCode().ToString();
                ErrorDescription = objHttpException.Message;
            }
        }
        else if (objException.GetType() == typeof(HttpUnhandledException) && objException.InnerException != null && objException.InnerException.GetType() == typeof(HttpException))
        {
            // This will occur when the code throws a HttpException (e.g. a fake 404).
            HttpException objHttpException = objException.InnerException as HttpException;
            if (objHttpException.GetHttpCode() == 404)
            {
                string Resource = Globals.GetFullUrl(this.Context);
                Server.ClearError();
                Response.Redirect("/ResourceNotFound.aspx?BadUrl=" + Server.UrlEncode(Resource));
                return;
            }
            else
            {
                ErrorType = objHttpException.GetHttpCode().ToString();
                ErrorDescription = objHttpException.Message;
            }
        }
        else if (objException.GetType() == typeof(HttpUnhandledException))
        {
            // This will occur when a page throws an error.
            HttpUnhandledException objHttpUnhandledException = (HttpUnhandledException) objException;
            ErrorType = objHttpUnhandledException.GetHttpCode().ToString();
            if (objHttpUnhandledException.InnerException != null)
                ErrorDescription = objHttpUnhandledException.InnerException.Message;
            else
                ErrorDescription = objHttpUnhandledException.Message;
            if (objHttpUnhandledException.GetHtmlErrorMessage() != null)
            {
                ErrorHtml = objHttpUnhandledException.GetHtmlErrorMessage();
            }
        }
        else if (objException.GetType() == typeof(HttpRequestValidationException) && !Globals.IsTtiUser(this.Context))
        {
            // Do nothing.  This is mostly just spider junk and we don't want to know about it.
        }
        else
        {
            // This will occur when the ASP.NET engine throws any error other than a HttpException.
            ErrorType = objException.GetType().Name;
            ErrorDescription = objException.Message;
        }
 
        // Send an email if there's an error to report.
        if (ErrorType != "" || ErrorDescription != "")
        {
            Globals.SendErrorEmail(this.Context,ErrorType,ErrorDescription,ErrorHtml);
        }
    }
 
    public static void SendErrorEmail (HttpContext context,string errorType,string errorDescription,string errorHtml)
    {
        // Build the email subject.
        string Subject = "EM: " + errorType + ": " + context.Request.ServerVariables["SCRIPT_NAME"];
 
        // Build the email body.
        string Body;
 
        StringBuilder sb = new StringBuilder("");
        sb.Append("Server:\r\n");
        sb.Append(Globals.Server.ToString() + "\r\n");
        sb.Append("\r\n");
        sb.Append("URL:\r\n");
        sb.Append(Globals.GetFullUrl(context) + "\r\n");
        sb.Append("\r\n");
        sb.Append("Error Type" + ":\r\n");
        sb.Append(errorType + "\r\n");
        sb.Append("\r\n");
        sb.Append("Error Description" + ":\r\n");
        sb.Append(errorDescription + "\r\n");
        sb.Append("\r\n");
        sb.Append("Referring Page:\r\n");
        sb.Append(context.Request.ServerVariables["HTTP_REFERER"] + "\r\n");
        sb.Append("\r\n");
        sb.Append("Date/Time:\r\n");
        sb.Append(DateTime.Now.ToString() + "\r\n");
        sb.Append("\r\n");
        sb.Append("Remote IP:\r\n");
        sb.Append(context.Request.ServerVariables["REMOTE_ADDR"] + "\r\n");
        sb.Append("\r\n");
        sb.Append("User Agent:\r\n");
        sb.Append(context.Request.ServerVariables["HTTP_USER_AGENT"] + "\r\n");
        sb.Append("\r\n");
        sb.Append("Crawler:\r\n");
        sb.Append(context.Request.Browser.Crawler.ToString() + "\r\n");
        sb.Append("\r\n");
        sb.Append("Admin User:\r\n");
        sb.Append(context.User.Identity.Name + "\r\n");
        sb.Append("\r\n");
        sb.Append("\r\n");
        Body = sb.ToString();
 
        // If there's HTML to represent the error (usually from HttpUnhandledException),// then stuff the body text into the HTML (if possible).
        bool HtmlMessage = false;
 
        if (errorHtml != "")
        {
            Regex r = new Regex("(?<thebodytext><body.*?>)",RegexOptions.IgnoreCase);
            if (r.IsMatch(errorHtml))
            {
                Body = Body.Replace("\r\n","<br>");
                Body = r.Replace(errorHtml,"${thebodytext}" + Body,1);
                HtmlMessage = true;
            }
        }
 
        // Send an email to the TTI developers.
        MailMessage objMail;
        objMail = new MailMessage();
        objMail.From = new MailAddress("from-address");
        objMail.To.Add(new MailAddress("to-address"));
        objMail.CC.Add(new MailAddress("cc-address"));
        objMail.CC.Add(new MailAddress("another-cc-address"));
        if (HtmlMessage)
            objMail.IsBodyHtml = true;
        else
            objMail.IsBodyHtml = false;
        if (errorType == "404")
            objMail.Priority = MailPriority.Low;
        else
            objMail.Priority = MailPriority.High;
        objMail.Subject = Subject;
        objMail.Body = Body;
 
        try
        {
            SmtpClient objSmtpClient = new SmtpClient();
            objSmtpClient.Send(objMail);
        }
        finally
        {
            // Do nothing.
        }
    }
}

解决方法

我可以看到这是一个非常有创意的攻击的目标……你正在将用户控制的数据填充到你的消息体中……在这一点上,狡猾地使用二进制数据COULD会导致一个BODY在发送期间发送正确的数据用于格式化的SMTP会话JUST RIGHT …如果可以,我建议将正文转换为所有ASCII文本,或者在字符串构建期间,编写一个只允许RFC字符的字符串清理程序.(过滤URL,REFERRER,远程地址和UserAgent).那些是你更有可能的攻击点.

第二个想法可能是在代码中构造一个基本电子邮件,并将您构建的正文作为文本,HTML或PDF文件进行ATTACH.

请记住,SMTP ENVELOPE数据与消息数据不同….如果某人狡猾得足以发送导致在正文部分期间发送CRLFCRLF.CRLFCRLF的正确正文,则会终止发送,然后如果他们继续发送数据,他们可以发送整个MAIL FROM：RCPT TO：,DATA等…(当然,这是不太可能的情况……)……

我很乐意看到您收到的电子邮件的RAW源…(如实际SMTP事务的十六进制转储,而不是Outlook希望您看到的内容,或其他).

在发送消息之前,您也可以尝试使用QP或B64对身体进行编码….这可能会解决您的问题……

这是一个有趣的,我期待它的结果.

ASP.NET中的SMTP头注入？

解决方法

猜你在找的asp.Net相关文章