[ZendTo] {Disarmed} Re: Penetration Test show big security issue

Jules Jules at Zend.To
Tue Jun 21 22:46:33 BST 2011


Another thing you might want to know.

If you send a dropoff to a user, it displays a page containing the 
ClaimID and Passcode so you can send it to other users as well if you wish.
If you consider this to be a security hole, then edit 
/opt/zendto/templates/show_dropoff.tpl and delete the "sendContainer" div.
I don't want to delete from the distribution, because it's quite useful 
for people. However, the whole point of moving all the HTML out into the 
templates directory is so that you can edit them to fit your 
requirements and site design. Any changes you make to them will be kept 
during yum and apt upgrades. They are intended for you to make changes 
beyond what is set in zendto.conf.

So feel free to remove this section from the template file if you find 
this is being exploited on your site. It isn't on mine.

Jules.

On 16/06/2011 10:30, patrick.gaikowski at kaufland.com wrote:
>
> Hi,
>
> the penetration test in my company shows big issue according 
> "onDemand" dropoff for non registered users.
>
>     * foreign user gets dropoff-auth with valid email-address after
>       Recaptcha
>     * user uploads files to Zendto with a non-existing email-address
>       of my company (for example --> nonexisting at kaufland.com)
>     * user gets dropoff summary
>
>
>
>     * in the source code of dropoff.php you can see the *claimid*and
>       *claimpasscode *as hidden input fields
>
>
> <form name="deleteDropoff" method="post" 
> action="https://share.kaufland.com/delete.php">
> <input type="hidden" name="claimID" value="JikPnNT7eDMCr9g7"/>
> <input type="hidden" name="claimPasscode" value="YtKuUMXQzcrMkAtd"/>
>
>
> The foreign user could send the *claimid*and *claimpasscode*to a lot 
> of users, like a filesharing platform!
>
> From this point of view its a big security issue!
>
>
> Mit freundlichen Grüßen / Best regards
>
> Patrick Gaikowski
> Tel:     +49 7132 94 3568
> Fax:    +49 7132 94 73568
> E-Mail: patrick.gaikowski at kaufland.com
> KI 967800 IT International / Infrastruktur
> Office:
> Lindichstrasse 11
> D-74189 Weinsberg
>
>
> http://www.kaufland.de
> http://www.spannende-it.de
> Wir sind die Nr. 1:
> Kaufland ist "Bester Lebensmittelmarkt 2011"!
>
> Kaufland Informationssysteme GmbH & Co. KG
> Postfach 12 53 - 74149 Neckarsulm
> Kommanditgesellschaft
> Sitz: Neckarsulm
> Registergericht: Amtsgericht Stuttgart HRA 104163
>
>
>
>
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

Jules

-- 
Julian Field MEng CITP CEng
www.Zend.To

Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

'Teach a man to reason, and he will think for a lifetime.' - Phil Plait
'All programs have a desire to be useful' - Tron, 1982
'That is the land of lost content,
  I see it shining plain,
  The happy highways where I went,
  And cannot come again.' - A.E. Houseman

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110621/4ff55392/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 27678 bytes
Desc: not available
Url : http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110621/4ff55392/attachment-0001.gif 


More information about the ZendTo mailing list