[ZendTo] Results of Penetration Testing on Zendto

patrick.gaikowski at kaufland.com patrick.gaikowski at kaufland.com
Mon Aug 22 08:43:06 BST 2011 


Hi,

we ordered an external company specialised for Penetration testing to take
a look to zendto. The found some weaknesses which should be corrected...

1.) Session-Concept

The user is identified by a Cookie-Value. The Cookie Value consists of
username, IP-address, timestamp, Nuonce, browser, Cookie-name and
serversite secret. All these values are combined and hashed with MD5.
This hash is used together with username, IP-address, timestamp, Nuonce to
identify the user.

The user sends the Cookie-Values to the server and the server checks if the
hash is correct and the timestamp is not too old.

Suggestion:

The external company mentions that there is no additional measures to check
if the user is really connecting from that IP-address. The security is only
based on the serversite secret.  With brute force it should be possible to
get the MD5-Hash and imitate every user.
The suggestion is to extend the serversite secret to 20 characters and
change it continously. The status of a Session should be verified on
serversite.

2.) Cookie

The cookie "zendto-session" is not marked with  (php) attributes like
"secured" and "HttpOnly".

Suggestion:

All cookies should be marked with "Secure" and "HttpOnly" to complicate the
sniffing of these values.

3.)  Reflected Cross-Site-Scripting

The Vulnerability was found in the following URL:

https://<IP>/pickup.php?claimID=D9tEmVyPzfpaWW3cd541b"><img src="noex"
onerror="alert('SySS XSS!')"&claimPasscode=TD9ab87Sas2RFVoW&pickup=Pick-up
+the+File(s)

The following output was generated.





On my zendto is a mod_security running and keywords are filtered but all
parameters should be verified and validated on serversite.

Mit freundlichen Grüßen / Best regards

Patrick Gaikowski
Tel:     +49 7132 94 3568
Fax:    +49 7132 94 73568
E-Mail: patrick.gaikowski at kaufland.com
KI 967850: IT International / IT Governance / Netzwerk Design und
IT-Sicherheit
Office:
Lindichstrasse 11
D-74189 Weinsberg


http://www.kaufland.de
http://www.spannende-it.de
Wir sind die Nr. 1:
Kaufland ist "Bester Lebensmittelmarkt 2011"!

Kaufland Informationssysteme GmbH & Co. KG
Postfach 12 53 - 74149 Neckarsulm
Kommanditgesellschaft
Sitz: Neckarsulm
Registergericht: Amtsgericht Stuttgart HRA 104163




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110822/f0a0687d/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 19975241.gif
Type: image/gif
Size: 111420 bytes
Desc: not available
Url : http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110822/f0a0687d/attachment-0001.gif

More information about the ZendTo mailing list