Howdy, I've written a paper on a potential risk with using the CDONTS.NEWMAIL object in Microsoft ASP applications running on Internet Information Server. The paper discusses how an attacker can leverage an ASP page using the CDONTS.NEWMAIL object to send arbitrary e-mails from the vulnerable web server. The CDONTS.NEWMAIL object is used freqently to provide e-mail functionality for pages such as feedback or contact forms and so ASP developers should ensure that all client input be made safe before passing it to any of the properties of the object. Paper available from http://www.nextgenss.com/research.html . Cheers, David Litchfield
