[ZendTo] Antwort: Re: Zendto is vulnerable for SQL-Injection
patrick.gaikowski at kaufland.com
patrick.gaikowski at kaufland.com
Sun May 22 15:09:49 BST 2011
Hi,
we engaged a company for penetration testing of web applications and thats
why i tried to be prepared....
I used the tool "burp suite" which is a http/https proxy for intercepting
web requests / responses.
i made a dropoff request without username / password --> only ReCaptcha
i intercepted the POST to dropoff.php
(See attached file: dropoff)
in the tool you can send the POST to the repeating module and modify the
POST
i was able the send the upload a various times --> the limit will be the
free space on the host system --> can be used for blow up the system and
perhaps crash the system
i was able to change for example the email-address of the recipient
(only the domain defined in preferences.php) in the POST--> can be used
for SPAM if the email domain is not configured correctly
Is it possible to limit the lifetime of the auth-Parameter to only one
request?
Mit freundlichen Grüßen / Best regards
Patrick Gaikowski
Tel: +49 7132 94 3568
Fax: +49 7132 94 73568
E-Mail: patrick.gaikowski at kaufland.com
KI 967800 IT International / Infrastruktur
Office:
Lindichstrasse 11
D-74189 Weinsberg
http://www.kaufland.de
Wir sind die Nr. 1:
Kaufland ist "Bester Lebensmittelmarkt 2011"!
Kaufland Informationssysteme GmbH & Co. KG
Postfach 12 53 - 74149 Neckarsulm
Kommanditgesellschaft
Sitz: Neckarsulm
Registergericht: Amtsgericht Stuttgart HRA 104163
Jules <Jules at zend.to>
Gesendet von:
zendto-bounces at zend.to
ZendTo Users <zendto at zend.to>
17.05.2011 10:43
Thema
[ZendTo] Re: Zendto is vulnerable
Bitte antworten an for SQL-Injection
ZendTo Users
<zendto at zend.to>
Very good, but exactly what was the process you or it used to achieve this?
I thought I had spotted all the points where this was possible, but
obviously missed one!
Without more details, there's little I can do about it. Which is obviously
not what we both want.
So please send me some more useful information.
Many thanks,
Jules.
On 17/05/2011 08:59, patrick.gaikowski at kaufland.com wrote:
Hi @ all,
i tried to audit zendto with parosproxy (www.parosproxy.org) and
found out that zendto is vulnerable for SQL-injection. The proxy
manipulates the claimid and claimpasscode and could blow up the
database with dropoffs!
--
Julian Field MEng CITP CEng
www.Zend.To
Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
'All programs have a desire to be useful' - Tron, 1982
_______________________________________________
ZendTo mailing list
ZendTo at zend.to
http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110522/52155592/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
Url : http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110522/52155592/attachment-0002.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110522/52155592/attachment-0003.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dropoff
Type: application/octet-stream
Size: 69851 bytes
Desc: not available
Url : http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110522/52155592/attachment-0001.obj
More information about the ZendTo
mailing list