[ZendTo] {Disarmed} Re: Penetration Test show big security issue

Jules Jules at Zend.To
Thu Jun 16 11:52:14 BST 2011 

This is easy to fix with a little patch to 
/opt/zendto/templates/show_dropoff.tpl which are files you can happily 
edit, and your changes will survive upgrades.

I've attached the patch file. gunzip it and then
     cd /opt/zendto/templates
     patch < /tmp/show_dropoff.tpl.patch
and you should find the HTML changes to not include the ClaimID and 
Passcode unless it is actually needed. I have also removed a whole chunk 
of commented-out HTML from the page.

This change will also be in the next release unless anyone says it 
doesn't work! :)

Jules.

On 16/06/2011 10:30, patrick.gaikowski at kaufland.com wrote:
>
> Hi,
>
> the penetration test in my company shows big issue according 
> "onDemand" dropoff for non registered users.
>
>     * foreign user gets dropoff-auth with valid email-address after
>       Recaptcha
>     * user uploads files to Zendto with a non-existing email-address
>       of my company (for example --> nonexisting at kaufland.com)
>     * user gets dropoff summary
>
> in the source code of dropoff.php you can see the *claimid*and 
> *claimpasscode *as hidden input fields
> <form name="deleteDropoff" method="post" 
> action="https://share.kaufland.com/delete.php">
> <input type="hidden" name="claimID" value="JikPnNT7eDMCr9g7"/>
> <input type="hidden" name="claimPasscode" value="YtKuUMXQzcrMkAtd"/>
>
>
> The foreign user could send the *claimid*and *claimpasscode*to a lot 
> of users, like a filesharing platform!
>
> From this point of view its a big security issue!

Jules

-- 
Julian Field MEng CITP CEng
www.Zend.To

Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

'All programs have a desire to be useful' - Tron, 1982

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110616/6ed0935e/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: show_dropoff.tpl.patch.gz
Type: application/x-gzip
Size: 920 bytes
Desc: not available
Url : http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110616/6ed0935e/attachment.gz

More information about the ZendTo mailing list