[ZendTo] Re: Penetration Test show big security issue

Thu Jun 16 16:08:25 BST 2011

http://www.kaufland.de
http://www.spannende-it.de
Wir sind die Nr. 1:
Kaufland ist "Bester Lebensmittelmarkt 2011"!

Kaufland Informationssysteme GmbH & Co. KG
Postfach 12 53 - 74149 Neckarsulm
Kommanditgesellschaft
Sitz: Neckarsulm
Registergericht: Amtsgericht Stuttgart HRA 104163

   patrick.gaikowski at kaufland.                                             
   com                                                                     
   Gesendet von:                                                           
   zendto-bounces at zend.to              ZendTo Users <zendto at zend.to>       

   16.06.2011 15:00                                                  Thema 
                                       [ZendTo] Antwort: {Disarmed} Re:    
                                       Penetration Test show big security  
   Bitte antworten an                  issue                               
   ZendTo Users                                                            
   <zendto at zend.to>                                                        

Hi Jules,

it seems to work....

Wow we avoided a red point from penetration testing...

I'll get a report and we can try to fix some other issues. They found one
more possible XSS, but i will get information.

Mit freundlichen Grüßen / Best regards

Patrick Gaikowski
Tel:     +49 7132 94 3568
Fax:    +49 7132 94 73568
E-Mail: patrick.gaikowski at kaufland.com
KI 967800 IT International / Infrastruktur
Office:
Lindichstrasse 11
D-74189 Weinsberg

http://www.kaufland.de
http://www.spannende-it.de
Wir sind die Nr. 1:
Kaufland ist "Bester Lebensmittelmarkt 2011"!

Kaufland Informationssysteme GmbH & Co. KG
Postfach 12 53 - 74149 Neckarsulm
Kommanditgesellschaft
Sitz: Neckarsulm
Registergericht: Amtsgericht Stuttgart HRA 104163

      Inactive hide details for Jules <Jules at zend.to>Jules <Jules at zend.to>

       Jules <Jules at zend.to>                                               
       Gesendet von:                                                       
       zendto-bounces at zend.to                                              

       16.06.2011 12:52                                ZendTo Users        
                                                       <zendto at zend.to>    

        Bitte antworten an                                                 
        ZendTo Users                                                       
        <zendto at zend.to>                                             Thema 

                                                       [ZendTo] {Disarmed} 
                                                       Re: Penetration     
                                                       Test show big       
                                                       security issue      

This is easy to fix with a little patch
to /opt/zendto/templates/show_dropoff.tpl which are files you can happily
edit, and your changes will survive upgrades.

I've attached the patch file. gunzip it and then
cd /opt/zendto/templates
patch < /tmp/show_dropoff.tpl.patch
and you should find the HTML changes to not include the ClaimID and
Passcode unless it is actually needed. I have also removed a whole chunk of
commented-out HTML from the page.

This change will also be in the next release unless anyone says it doesn't
work! :)

Jules.

On 16/06/2011 10:30, patrick.gaikowski at kaufland.com wrote:

      Hi,

      the penetration test in my company shows big issue according
      "onDemand" dropoff for non registered users.
            foreign user gets dropoff-auth with valid email-address after
            Recaptcha
            user uploads files to Zendto with a non-existing email-address
            of my company (for example --> nonexisting at kaufland.com)
            user gets dropoff summary
      in the source code of dropoff.php you can see the claimid and
      claimpasscode as hidden input fields
      <form name="deleteDropoff" method="post" action=MailScanner has
      detected a possible fraud attempt from "share.kaufland.com" claiming
      to be "https://share.kaufland.com/delete.php">
      <input type="hidden" name="claimID" value="JikPnNT7eDMCr9g7"/>
      <input type="hidden" name="claimPasscode" value="YtKuUMXQzcrMkAtd"/>

      The foreign user could send the claimid and claimpasscode to a lot of
      users, like a filesharing platform!

      >From this point of view its a big security issue!

Jules

--
Julian Field MEng CITP CEng
www.Zend.To

Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

'All programs have a desire to be useful' - Tron, 1982
[Anhang "show_dropoff.tpl.patch.gz" gelöscht von Patrick
Gaikowski/IS/KI/KAUFLAND] _______________________________________________
ZendTo mailing list
ZendTo at zend.to
http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
_______________________________________________
ZendTo mailing list
ZendTo at zend.to
http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110616/52ed9342/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
Url : http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110616/52ed9342/attachment-0002.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110616/52ed9342/attachment-0003.gif 