[ZendTo] Re: Antwort: Re: Zendto is vulnerable for SQL-Injection

Jason Ede J.Ede at birchenallhowden.co.uk
Mon May 23 13:55:51 BST 2011


Jules,

Could you make it so were only allowed 1 active upload stream as well? That way even if tried creating lots of extra files whilst a larger one was uploading then it wouldn't work  as an exploit...

Jason

From: zendto-bounces at zend.to [mailto:zendto-bounces at zend.to] On Behalf Of Jules
Sent: 23 May 2011 09:53
To: ZendTo Users
Subject: [ZendTo] Re: Antwort: Re: Zendto is vulnerable for SQL-Injection



On 22/05/2011 15:09, patrick.gaikowski at kaufland.com<mailto:patrick.gaikowski at kaufland.com> wrote:

Hi,

we engaged a company for penetration testing of web applications and thats why i tried to be prepared....

I used the tool "burp suite" which is a http/https proxy for intercepting web requests / responses.

  *   i made a dropoff request without username / password --> only ReCaptcha
Definitely a bug, now fixed. Well done!


  *
  *   i intercepted the POST to dropoff.php

(See attached file: dropoff)
Great, XML, my favourite. :-)


  *   in the tool you can send the POST to the repeating module and modify the POST
  *   i was able the send the upload a various times --> the limit will be the free space on the host system --> can be used for blow up the system and perhaps crash the system
If you don't complete the upload, then you will be able to do that. Once the upload has finished, the auth code should be removed (and now is! :-) (unless you're a logged in user, at which point we can hunt you down anyway).
I'm not particularly worried about attacks by logged in users. They can just repeat the entire upload process as many times as they like anyway, uploading either the same files or different files each time.


  *
  *   i was able to change for example the email-address of the recipient (only the domain defined in preferences.php) in the POST--> can be used for SPAM if the email domain is not configured correctly
Agreed. You can indeed change the email address of the recipient in the upload. But then again you can just make your automated hacking system slightly more clever and do multiple uploads to anyone you like in the the preferences.php configured domain. So I am not worried about that either.


Is it possible to limit the lifetime of the auth-Parameter to only one request?
Well spotted, yes that is a bug. Fixed. That should take care of the multiple uploads exploits you found above too.

Many thanks for finding these for me, it is much appreciated!

Cheers,


Jules



--

Julian Field MEng CITP CEng

www.Zend.To<http://www.Zend.To>



Follow me at twitter.com/JulesFM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654



'All programs have a desire to be useful' - Tron, 1982
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110523/31113e02/attachment-0001.html 


More information about the ZendTo mailing list