[ZendTo] Antwort: Re: Zendto is vulnerable for SQL-Injection

patrick.gaikowski at kaufland.com patrick.gaikowski at kaufland.com
Tue May 17 09:51:54 BST 2011 

Hi Jules,

i will verify all ways (without account / with account) and will let you
know more detailed information...

Mit freundlichen Grüßen / Best regards

Patrick Gaikowski
Tel:     +49 7132 94 3568
Fax:    +49 7132 94 73568
E-Mail: patrick.gaikowski at kaufland.com
KI 967800 IT International / Infrastruktur
Office:
Lindichstrasse 11
D-74189 Weinsberg



http://www.kaufland.de
Wir sind die Nr. 1:
Kaufland ist "Bester Lebensmittelmarkt 2011"!

Kaufland Informationssysteme GmbH & Co. KG
Postfach 12 53 - 74149 Neckarsulm
Kommanditgesellschaft
Sitz: Neckarsulm
Registergericht: Amtsgericht Stuttgart HRA 104163



                                                                           
   Jules <Jules at zend.to>                                                   
   Gesendet von:                                                           
   zendto-bounces at zend.to                                                  
                                       ZendTo Users <zendto at zend.to>       
                                                                           
   17.05.2011 10:43                                                        
                                                                     Thema 
                                       [ZendTo] Re: Zendto is vulnerable   
   Bitte antworten an                  for SQL-Injection                   
   ZendTo Users                                                            
   <zendto at zend.to>                                                        
                                                                           
                                                                           
                                                                           
                                                                           




Very good, but exactly what was the process you or it used to achieve this?
I thought I had spotted all the points where this was possible, but
obviously missed one!

Without more details, there's little I can do about it. Which is obviously
not what we both want.

So please send me some more useful information.

Many thanks,
Jules.

On 17/05/2011 08:59, patrick.gaikowski at kaufland.com wrote:


      Hi @ all,

      i tried to audit zendto with parosproxy (www.parosproxy.org) and
      found out that zendto is vulnerable for SQL-injection. The proxy
      manipulates the claimid and claimpasscode and could blow up the
      database with dropoffs!




--
Julian Field MEng CITP CEng
www.Zend.To

Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

'All programs have a desire to be useful' - Tron, 1982
_______________________________________________
ZendTo mailing list
ZendTo at zend.to
http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110517/3028c28a/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
Url : http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110517/3028c28a/attachment.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110517/3028c28a/attachment-0001.gif

More information about the ZendTo mailing list