VPASP reports that this insecurity was fixed in the 650 version of their cart, the patch for which can be found here: http://www.vpasp.com/sales/addons600.asp
However,
please be aware that in order to download this patch you may be
required to update your license for VPASP, incurring fees. To help
offset this VPASP has offered us a coupon code for a nearly 50% discount
on the license, simply insert the coupon code "ALENTUS" into the
customer information page when checking out and it will deduct from the
total.
Additonally,
as VPASP version 700 is slated for release in the coming months
upgrading your license will allow you to upgrade to the newest version
at no charge once it is released.
If
you do not wish to make use of the 'Tell A Friend' feature of the
application you can simply rename the file 'shoptellafriend.asp' to
something else such as 'shoptellafriend.asp.bak'.
If
you do not wish to upgrade your VPASP installation at this time, yet
still make use of the 'Tell A Friend' feature, you can attempt to
modify the VPASP shoptellafriend.asp page that is being targeted to
discourage spammers from misusing it. However, this action is for more advanced administrators only and we cannot provide support if the following procedure causes errors in your application.
Be sure to make a backup copy of this file before you make any changes, just in case.
To manually modify the VPASP cart to discourage spammers from misusing it please follow the steps below:
- Open the file 'shoptellafriend.asp' in the root of your VPASP application.
- Locate the function definition 'Sub ValidateData()', usually at line 117 in the file.
- Modify the following section of code:
strCustName = Request.Form("CustName")
strCustEmail = Request.Form("CustEmail")
strFriendsName = Request.Form("FriendsName")
strFriendsEmail = Request.Form("FriendsEmail")
strMessage=request("strMessage")
- When
modifying it is recommended to comment out the original line by placing
a single quote at the beginning of the line, and then copy the original
line for modification.
- It is recommended to at least change the lines relating to the source email address and message contents as below:
strCustName = Request.Form("CustName")
'strCustEmail = Request.Form("CustEmail")
strCustEmail = ""
strFriendsName = Request.Form("FriendsName")
strFriendsEmail = Request.Form("FriendsEmail")
'strMessage=request("strMessage")
strMessage = ""
- In
changing the above lines to a blank string VPASP will use the defaults
set in the cart options rather than what a potential spammer may have
submitted.
Please note the following:
- Simply
modifying the template of the page will not stop spammers from
submitting their own messages directly to the form processor.
At
the moment we are handling incidents of this form of spamming on a
case-by-case basis. If a domain is found to be sending out large amounts
of spam from this page we will disable only the shoptellafriend.asp
page and send a notification to the email address[es] we have on file.