[ZendTo] Re: Antwort: Re: Zendto is vulnerable for SQL-Injection

Ken Buska kbuska at computerlabsolutions.com
Mon May 23 16:37:23 BST 2011


Jules,

how can we get these fixes? is there a source repository somewhere?

Cheers,
Ken



On Mon, May 23, 2011 at 2:52 AM, Jules <Jules at zend.to> wrote:

>
>
> On 22/05/2011 15:09, patrick.gaikowski at kaufland.com wrote:
>
> Hi,
>
> we engaged a company for penetration testing of web applications and thats
> why i tried to be prepared....
>
> I used the tool "burp suite" which is a http/https proxy for intercepting
> web requests / responses.
>
>    - i made a dropoff request without username / password --> only
>    ReCaptcha
>
>  Definitely a bug, now fixed. Well done!
>
>
>    -
>     - i intercepted the POST to dropoff.php
>
>
> *(See attached file: dropoff)*
>
> Great, XML, my favourite. :-)
>
>
>    - in the tool you can send the POST to the repeating module and modify
>    the POST
>    - i was able the send the upload a various times --> the limit will be
>    the free space on the host system --> can be used for blow up the
>    system and perhaps crash the system
>
>  If you don't complete the upload, then you will be able to do that. Once
> the upload has finished, the auth code should be removed (and now is! :-)
> (unless you're a logged in user, at which point we can hunt you down
> anyway).
> I'm not particularly worried about attacks by logged in users. They can
> just repeat the entire upload process as many times as they like anyway,
> uploading either the same files or different files each time.
>
>
>    -
>     - i was able to change for example the email-address of the recipient
>    (only the domain defined in preferences.php) in the POST--> can be used
>    for SPAM if the email domain is not configured correctly
>
>  Agreed. You can indeed change the email address of the recipient in the
> upload. But then again you can just make your automated hacking system
> slightly more clever and do multiple uploads to anyone you like in the the
> preferences.php configured domain. So I am not worried about that either.
>
>
> Is it possible to limit the lifetime of the auth-Parameter to only one
> request?
>
> Well spotted, yes that is a bug. Fixed. That should take care of the
> multiple uploads exploits you found above too.
>
> Many thanks for finding these for me, it is much appreciated!
>
> Cheers,
>
> Jules
>
> --
> Julian Field MEng CITP CEng
> www.Zend.To
>
> Follow me at twitter.com/JulesFM
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> 'All programs have a desire to be useful' - Tron, 1982
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110523/9925dd39/attachment.html 


More information about the ZendTo mailing list