SERIOUS SECURITY ISSUE!!!

Topics: Developer Forum, User Forum
May 27, 2008 at 6:26 AM

Hey guys it's me again with yet another problem.  I tried to send myself an e-mail from my website today and got the following error.  What is really disturbing is that in the error message it identifies my e-mail address associated with the website and password (temporarily changed it until I get this fixed) for that e-mail address, scarey.

Configuration Error

Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: Insufficient permissions for setting the configuration property 'port'.

Source Error:

Line 81: 		<mailSettings>
Line 82: 			<smtp deliveryMethod="Network" from="webmaster@childrensacutecare.com">
Line 83: <network host="smtpout.secureserver.net" userName="webmaster@childrensacutecare.com" password="testpass" port="80"/>Line 84: 			</smtp>
Line 85: 		</mailSettings>

Source File: d:\hosting\mrmeyer4cac\web.config    Line: 83


I made sure I changed the security settings for the web.config file to allow asp.net to read/write as well as changed the permissions on the web server to allow read write.  It still didnt work, when I changed the port back to 25 which is what you had as a default, this is what I get.

 

A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 64.202.165.58:25

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 64.202.165.58:25

Source Error:

Line 97:                 }
Line 98: 
Line 99: client.Send(mail);Line 100:
Line 101:                Session["ContactFormSent"] = true;

Source File: d:\hosting\mrmeyer4cac\SectionControls\ContactForm.ascx.cs    Line: 99

Stack Trace:

[SocketException (0x274c): A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 64.202.165.58:25]
   System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress) +1073657
   System.Net.Sockets.Socket.InternalConnect(EndPoint remoteEP) +33
   System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Int32 timeout, Exception& exception) +217

[WebException: Unable to connect to the remote server]
   System.Net.ServicePoint.GetConnection(PooledStream PooledStream, Object owner, Boolean async, IPAddress& address, Socket& abortSocket, Socket& abortSocket6, Int32 timeout) +1490784
   System.Net.PooledStream.Activate(Object owningObject, Boolean async, Int32 timeout, GeneralAsyncDelegate asyncCallback) +191
   System.Net.PooledStream.Activate(Object owningObject, GeneralAsyncDelegate asyncCallback) +21
   System.Net.ConnectionPool.GetConnection(Object owningObject, GeneralAsyncDelegate asyncCallback, Int32 creationTimeout) +318
   System.Net.Mail.SmtpConnection.GetConnection(String host, Int32 port) +227
   System.Net.Mail.SmtpTransport.GetConnection(String host, Int32 port) +316
   System.Net.Mail.SmtpClient.GetConnection() +42
   System.Net.Mail.SmtpClient.Send(MailMessage message) +1485

[SmtpException: Failure sending mail.]
   System.Net.Mail.SmtpClient.Send(MailMessage message) +2074
   SectionControls_ContactForm.btnSubmit_Click(Object sender, EventArgs e) in d:\hosting\mrmeyer4cac\SectionControls\ContactForm.ascx.cs:99
   System.Web.UI.WebControls.Button.OnClick(EventArgs e) +105
   System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +107
   System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +7
   System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +11
   System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +33
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1746


Please help once again, I am supposed to present our website to the owner of my company on Wednesday and if I cant present it because of this issue it will be very detrimental, thanks.

 

May 28, 2008 at 10:28 AM
Just hide error details via web.config settings.

Production websites should never present detailed errors to end users as important information could be disclosed. web.config can be configured to display detailed errors only to local users (i.e. users accessing website from its local machine) or never. Change your web.config settings and errors details will never be displayed to users.

Hope this helps.
May 28, 2008 at 3:21 PM


TBPrince wrote:
Just hide error details via web.config settings.

Production websites should never present detailed errors to end users as important information could be disclosed. web.config can be configured to display detailed errors only to local users (i.e. users accessing website from its local machine) or never. Change your web.config settings and errors details will never be displayed to users.

Hope this helps.


TB thanks I didnt realize that was there I changed it to RemoteONLY an dit worked just fine.  Now if anyone could tell me why I cant get the e-mail function working from the page I'd be set.
May 28, 2008 at 4:17 PM
Hopefully this makes sense to all of you, but I talked to GoDaddy today to try and figure this problem out and was told that they support 3 different languages when sending the mail and they werent sure if this application was built to use one of these languages he said that I needed to put the following code into the appliucation, my problem is that being a newbie to all of this I dont know where this code would need to go, so hopefully one of you do.  I also inclued the article that this came from.

<form id="suggestion-form" action="/suggestion" method="post">
<label for="email">Email*:</label>
<input class="required" id="email" type="text" name="email" />
<label for="reason">Reason*:</label>
<select class="required" id="reason" name="reason"> <option selected="true"></option> <option value="Inaccurate">Inaccurate</option> <option value="Missing Information">Missing Information</option> <option value="Good, But Could be Better">Good, But Could be Better</option> <option value="other">Other (Please Explain Below)</option> </select>
<label for="suggestion">Suggestion*:</label>
<textarea class="required" id="suggestion" name="suggestion"></textarea>
Hide <input id="suggestion-send" title="Send" type="image" alt="Send" src="http://help.godaddy.com/images/btn_send.gif" name="submit" />
</form>

CDOSYS is part of the System.Web.Mail namespace and is installed by default on Windows 2000 and Windows XP platforms. It replaces CDONTS for sending SMTP email messages and can be used with our IIS 6 and IIS 7 Windows hosting accounts. The following code sample demonstrates how to create, format, and send email.

The server "relay-hosting.secureserver.net" is used to send email from your hosted domain. You must populate the SmtpMail object's SmtpServer property with this value. Our shared hosting servers allow for email attachments up to 30 MB.

// language -- C#
// import namespace
using System.Web.Mail;

private void SendEmail()
{
   const string SERVER = "relay-hosting.secureserver.net";
   MailMessage oMail = new System.Web.Mail.MailMessage();
   oMail.From = "emailaddress@domainname";
   oMail.To = "emailaddress@domainname";
   oMail.Subject = "Test email subject";
   oMail.BodyFormat = MailFormat.Html; // enumeration
   oMail.Priority = MailPriority.High; // enumeration
   oMail.Body = "Sent at: " + DateTime.Now;
   SmtpMail.SmtpServer = SERVER;
   SmtpMail.Send(oMail);
   oMail = null; // free up resources
}


May 28, 2008 at 7:10 PM
Out of curiosity - are you still setting the port to 80 in the web.config?
If so, is there a specific reason you're doing that?

May 28, 2008 at 9:12 PM
Yes because thats all that works.  As an update, I just got the contact us form to work by changing the code on the web.config file to the following:

<mailSettings>
   <smtp from="webmaster@childrensacutecare.com">
    <network host="relay-hosting.secureserver.net" password="" port="80"
     userName="" />
   </smtp>
  </mailSettings>

and changing the code on the contactus.ascx.cs file to the following:

using System.Web.Mail; (not using System.Net.Mail;)

AND

protected void btnSubmit_Click(object sender, EventArgs e)
    {
        if (Session["ContactFormSent"] == null)
        {
            Page.Validate(ID);
            if (Page.IsValid)
            {
                const string SERVER = "relay-hosting.secureserver.net";
   MailMessage oMail = new System.Web.Mail.MailMessage();
   oMail.From = txtEmailFrom.Text.Trim();
   oMail.To = "webmaster@childrensacutecare.com";
   oMail.Subject = txtName.Text.Trim();
   oMail.BodyFormat = MailFormat.Html; // enumeration
   oMail.Priority = MailPriority.High; // enumeration
   oMail.Body = txtMessage.Text.Trim();
   SmtpMail.SmtpServer = SERVER;
   SmtpMail.Send(oMail);
   oMail = null; // free up resources
            Session["ContactFormSent"] = true;
            }
        }
    }


This now works, now I have to find and replace the code on the registration function too, because I am getting the same error message when I try to register a new person.
May 28, 2008 at 9:39 PM
Edited May 28, 2008 at 9:40 PM
It's all fixed and working, FINALLY, thanks to all of you who took an interest to help me out.  Subsequently, I did take out the port all together and all the error messages went away.

The mail settings now read simply:

<mailSettings>
   <smtp from="webmaster@childrensacutecare.com">
    <network host="relay-hosting.secureserver.net" />
   </smtp>
  </mailSettings>
Nov 18, 2009 at 10:31 PM

I am trying to setup my starter kit as well on Go Daddy.  I can't seem to get my SMTP settings right.

If I use relay-hosting I am not able to send e-mails from things other than my own address - This breaks the contact me form.

Your last message seems to send all e-mails your godaddy account.  How does your contact form work to send e-mails from the one you specify?

Nov 18, 2009 at 10:42 PM

I added what he has up above to the web.config file, I included this information in the CMS Page, and I went to the administration tool page and set the SMTP settings:

Use this page to manage SMTP settings, which determine how your Web application sends e-mail. If your e-mail server requires you to log on before you can send an e-mail message, specify the type of authentication that the server requires, and if necessary, the user name and password to use.

Note: For more information on authentication with your e-mail server, contact your network administrator.
 
Configure SMTP Settings
<label for="ctl00_ctl00_ctl00_content_content_content_ServerNameTextBox">Server Name:</label> <input id="ctl00_ctl00_ctl00_content_content_content_ServerNameTextBox" name="ctl00$ctl00$ctl00$content$content$content$ServerNameTextBox" type="text" value="relay-hosting.secureserver.net" />  
<label for="ctl00_ctl00_ctl00_content_content_content_ServerPortTextBox">Server Port:</label> <input id="ctl00_ctl00_ctl00_content_content_content_ServerPortTextBox" name="ctl00$ctl00$ctl00$content$content$content$ServerPortTextBox" type="text" value="25" />
<label for="ctl00_ctl00_ctl00_content_content_content_FromTextBox">From:</label> <input id="ctl00_ctl00_ctl00_content_content_content_FromTextBox" name="ctl00$ctl00$ctl00$content$content$content$FromTextBox" type="text" value="webmaster@childrensacutecare.com" />  
Authentication:
  <input id="ctl00_ctl00_ctl00_content_content_content_NoneRadioButton" checked="checked" name="ctl00$ctl00$ctl00$content$content$content$Authentication" type="radio" value="NoneRadioButton" /> <label for="ctl00_ctl00_ctl00_content_content_content_NoneRadioButton">None</label>  
  <input id="ctl00_ctl00_ctl00_content_content_content_BasicRadioButton" onclick="setTimeout('__doPostBack(\'ctl00$ctl00$ctl00$content$content$content$BasicRadioButton\',\'\')', 0)" name="ctl00$ctl00$ctl00$content$content$content$Authentication" type="radio" value="BasicRadioButton" /> <label for="ctl00_ctl00_ctl00_content_content_content_BasicRadioButton">Basic</label>
Choose this option if your e-mail server requires you to explicitly pass a user name and password when sending an e-mail message.
    <label id="ctl00_ctl00_ctl00_content_content_content_UserNameLabel" for="ctl00_ctl00_ctl00_content_content_content_UserNameTextBox">Sender's user name:</label> <input id="ctl00_ctl00_ctl00_content_content_content_UserNameTextBox" disabled="disabled" name="ctl00$ctl00$ctl00$content$content$content$UserNameTextBox" type="text" />
    <label id="ctl00_ctl00_ctl00_content_content_content_PasswordLabel" for="ctl00_ctl00_ctl00_content_content_content_PasswordTextBox">Sender's password:</label> <input id="ctl00_ctl00_ctl00_content_content_content_PasswordTextBox" disabled="disabled" name="ctl00$ctl00$ctl00$content$content$content$PasswordTextBox" type="password" />
  <input id="ctl00_ctl00_ctl00_content_content_content_NTLMRadioButton" onclick="setTimeout('__doPostBack(\'ctl00$ctl00$ctl00$content$content$content$NTLMRadioButton\',\'\')', 0)" name="ctl00$ctl00$ctl00$content$content$content$Authentication" type="radio" value="NTLMRadioButton" /> <label for="ctl00_ctl00_ctl00_content_content_content_NTLMRadioButton">NTLM (Windows authentication)</label>
Choose this option if your e-mail server is on a local area network and you connect to it using windows credentials.
<input style="width: 100px;" onclick="WebForm_DoPostBackWithOptions(new WebForm_PostBackOptions("ctl00$ctl00$ctl00$content$content$content$ctl12", "", true, "", "", false, false))" name="ctl00$ctl00$ctl00$content$content$content$ctl12" type="submit" value="Save" />

 

I created a godaddy e-mail address that I monitor to track all of this.  Do you have a GoDaddy account dedicated for use with your website?  I use webmaster@domain.com and thats were all e-mails go to and from.

Hope this helps.

Nov 18, 2009 at 11:07 PM

It is kind of hard to follow.  Does all of that allow you to have a contact form that sends an e-mail from their address that you can reply too?  From what I have found it looks like I will have to have my contact form have the from address be the godaddy account and have to put their e-mail in the body of the e-mail.  Which sucks but is doable.

Nov 19, 2009 at 12:37 AM

Yes the built in Contact Us Section Control makes them put in their e-mail address and a subject and the content of their question.  When they hit submit it gets sent to my webmaster e-mail address with godaddy which then pops to my Outlook and all further correspondence is done directly through me and them that way.

But I think to answer your question, yes they have to put in their emial address which you get when their email comes across to what ever emial you designate for yourself in your settings.  I hope that helps.