Report Server Database Mail BCCs?

That’s a nice White Hat SQL injection use!

Thanks for sharing Nick.

Fernando Margueirat
Business Analyst
The National Ballet of Canada
470 Queens Quay West
Toronto, Ontario
M5V 3K4
P: 416 345 9686 x453
F: 416 345 8323

I'm rather surprised that this hasn't come up before... but I found a workaround!

Database mail is called using a procedure that takes the following arguments for recipients: @recipients, @copy_recipients, and @blind_copy_recipients. Only the @recipients argument is built into report scheduling, but the text field in the Auto-Email Elements window is simply inserted wholesale into the procedure call with no input validation that I can find--in other words,

@recipients = '<recipient text box content>'

This means we can inject any of the other recipient arguments into the procedure call with the following syntax:

',@blind_copy_recipients = 'bccrecipient@example.com

... turning the full procedure call argument into

@recipients = '',@blind_copy_recipients = 'bccrecipient@example.com'

And sp_send_dbmail is totally okay with this!

Does anyone know if/how to configure scheduled emailed reports so the recipients are BCCd instead of all visible in the 'To:' field?

I know this is an available feature of Database mail, but it appears Tessi does not provide an interface for the BCC field. My best guess at this point is that I might be able to literally hack the email TO field in Tessi to close the one argument and add the BCC one, but I'm hoping someone has a better idea before I go in and try to figure that out. 

This message was sent automatically to you by www.tessituranetwork.com because you subscribed to the Tessitura Technical Forum. You may reply to this message to post to the Technical forum or visit the site to search, read and post to the forums. In the interest of keeping the forum posts from becoming cluttered, we encourage you to delete previous message text from your reply before sending. Thank you!

That’s a nice White Hat SQL injection use!

Thanks for sharing Nick.

Fernando Margueirat
Business Analyst
The National Ballet of Canada
470 Queens Quay West
Toronto, Ontario
M5V 3K4
P: 416 345 9686 x453
F: 416 345 8323

I'm rather surprised that this hasn't come up before... but I found a workaround!

Database mail is called using a procedure that takes the following arguments for recipients: @recipients, @copy_recipients, and @blind_copy_recipients. Only the @recipients argument is built into report scheduling, but the text field in the Auto-Email Elements window is simply inserted wholesale into the procedure call with no input validation that I can find--in other words,

@recipients = '<recipient text box content>'

This means we can inject any of the other recipient arguments into the procedure call with the following syntax:

',@blind_copy_recipients = 'bccrecipient@example.com

... turning the full procedure call argument into

@recipients = '',@blind_copy_recipients = 'bccrecipient@example.com'

And sp_send_dbmail is totally okay with this!

Does anyone know if/how to configure scheduled emailed reports so the recipients are BCCd instead of all visible in the 'To:' field?

I know this is an available feature of Database mail, but it appears Tessi does not provide an interface for the BCC field. My best guess at this point is that I might be able to literally hack the email TO field in Tessi to close the one argument and add the BCC one, but I'm hoping someone has a better idea before I go in and try to figure that out. 

This message was sent automatically to you by www.tessituranetwork.com because you subscribed to the Tessitura Technical Forum. You may reply to this message to post to the Technical forum or visit the site to search, read and post to the forums. In the interest of keeping the forum posts from becoming cluttered, we encourage you to delete previous message text from your reply before sending. Thank you!