[ZendTo] Antwort: Re: Antwort: Re: Zendto is vulnerable for SQL-Injection
patrick.gaikowski at kaufland.com
patrick.gaikowski at kaufland.com
Mon May 23 13:03:38 BST 2011
Hi Jules,
will there be a patch or new release?
Mit freundlichen Grüßen / Best regards
Patrick Gaikowski
Tel: +49 7132 94 3568
Fax: +49 7132 94 73568
E-Mail: patrick.gaikowski at kaufland.com
KI 967800 IT International / Infrastruktur
Office:
Lindichstrasse 11
D-74189 Weinsberg
http://www.kaufland.de
Wir sind die Nr. 1:
Kaufland ist "Bester Lebensmittelmarkt 2011"!
Kaufland Informationssysteme GmbH & Co. KG
Postfach 12 53 - 74149 Neckarsulm
Kommanditgesellschaft
Sitz: Neckarsulm
Registergericht: Amtsgericht Stuttgart HRA 104163
Jules <Jules at zend.to>
Gesendet von:
zendto-bounces at zend.to
ZendTo Users <zendto at zend.to>
23.05.2011 10:52
Thema
[ZendTo] Re: Antwort: Re: Zendto
Bitte antworten an is vulnerable for SQL-Injection
ZendTo Users
<zendto at zend.to>
On 22/05/2011 15:09, patrick.gaikowski at kaufland.com wrote:
Hi,
we engaged a company for penetration testing of web applications and
thats why i tried to be prepared....
I used the tool "burp suite" which is a http/https proxy for
intercepting web requests / responses.
i made a dropoff request without username / password --> only
ReCaptcha
Definitely a bug, now fixed. Well done!
i intercepted the POST to dropoff.php
(See attached file: dropoff)
Great, XML, my favourite. :-)
in the tool you can send the POST to the repeating module and
modify the POST
i was able the send the upload a various times --> the limit
will be the free space on the host system --> can be used for
blow up the system and perhaps crash the system
If you don't complete the upload, then you will be able to do that. Once
the upload has finished, the auth code should be removed (and now is! :-)
(unless you're a logged in user, at which point we can hunt you down
anyway).
I'm not particularly worried about attacks by logged in users. They can
just repeat the entire upload process as many times as they like anyway,
uploading either the same files or different files each time.
i was able to change for example the email-address of the
recipient (only the domain defined in preferences.php) in the
POST--> can be used for SPAM if the email domain is not
configured correctly
Agreed. You can indeed change the email address of the recipient in the
upload. But then again you can just make your automated hacking system
slightly more clever and do multiple uploads to anyone you like in the the
preferences.php configured domain. So I am not worried about that either.
Is it possible to limit the lifetime of the auth-Parameter to only
one request?
Well spotted, yes that is a bug. Fixed. That should take care of the
multiple uploads exploits you found above too.
Many thanks for finding these for me, it is much appreciated!
Cheers,
Jules
--
Julian Field MEng CITP CEng
www.Zend.To
Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
'All programs have a desire to be useful' - Tron, 1982
_______________________________________________
ZendTo mailing list
ZendTo at zend.to
http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110523/bdbda5f0/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
Url : http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110523/bdbda5f0/attachment.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110523/bdbda5f0/attachment-0001.gif
More information about the ZendTo
mailing list