[ZendTo] Antwort: Re: Antwort: Re: Zendto is vulnerable for SQL-Injection

patrick.gaikowski at kaufland.com patrick.gaikowski at kaufland.com
Mon May 23 13:03:38 BST 2011


Hi Jules,

will there be a patch or new release?

Mit freundlichen Grüßen / Best regards

Patrick Gaikowski
Tel:     +49 7132 94 3568
Fax:    +49 7132 94 73568
E-Mail: patrick.gaikowski at kaufland.com
KI 967800 IT International / Infrastruktur
Office:
Lindichstrasse 11
D-74189 Weinsberg



http://www.kaufland.de
Wir sind die Nr. 1:
Kaufland ist "Bester Lebensmittelmarkt 2011"!

Kaufland Informationssysteme GmbH & Co. KG
Postfach 12 53 - 74149 Neckarsulm
Kommanditgesellschaft
Sitz: Neckarsulm
Registergericht: Amtsgericht Stuttgart HRA 104163



                                                                           
   Jules <Jules at zend.to>                                                   
   Gesendet von:                                                           
   zendto-bounces at zend.to                                                  
                                       ZendTo Users <zendto at zend.to>       
                                                                           
   23.05.2011 10:52                                                        
                                                                     Thema 
                                       [ZendTo] Re: Antwort:  Re: Zendto   
   Bitte antworten an                  is vulnerable for SQL-Injection     
   ZendTo Users                                                            
   <zendto at zend.to>                                                        
                                                                           
                                                                           
                                                                           
                                                                           






On 22/05/2011 15:09, patrick.gaikowski at kaufland.com wrote:


      Hi,

      we engaged a company for penetration testing of web applications and
      thats why i tried to be prepared....

      I used the tool "burp suite" which is a http/https proxy for
      intercepting web requests / responses.
            i made a dropoff request without username / password --> only
            ReCaptcha
Definitely a bug, now fixed. Well done!

            i intercepted the POST to dropoff.php

      (See attached file: dropoff)
Great, XML, my favourite. :-)
            in the tool you can send the POST to the repeating module and
            modify the POST
            i was able the send the upload a various times --> the limit
            will be the free space on the host system --> can be used for
            blow up the system and perhaps crash the system
If you don't complete the upload, then you will be able to do that. Once
the upload has finished, the auth code should be removed (and now is! :-)
(unless you're a logged in user, at which point we can hunt you down
anyway).
I'm not particularly worried about attacks by logged in users. They can
just repeat the entire upload process as many times as they like anyway,
uploading either the same files or different files each time.

            i was able to change for example the email-address of the
            recipient (only the domain defined in preferences.php) in the
            POST--> can be used for SPAM if the email domain is not
            configured correctly
Agreed. You can indeed change the email address of the recipient in the
upload. But then again you can just make your automated hacking system
slightly more clever and do multiple uploads to anyone you like in the the
preferences.php configured domain. So I am not worried about that either.

      Is it possible to limit the lifetime of the auth-Parameter to only
      one request?
Well spotted, yes that is a bug. Fixed. That should take care of the
multiple uploads exploits you found above too.

Many thanks for finding these for me, it is much appreciated!

Cheers,
Jules

--
Julian Field MEng CITP CEng
www.Zend.To

Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

'All programs have a desire to be useful' - Tron, 1982
_______________________________________________
ZendTo mailing list
ZendTo at zend.to
http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110523/bdbda5f0/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
Url : http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110523/bdbda5f0/attachment.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110523/bdbda5f0/attachment-0001.gif 


More information about the ZendTo mailing list