[ZendTo] Re: Antwort: Re: Antwort: Re: Zendto is vulnerable for SQL-Injection

Jules Jules at Zend.To
Mon May 23 16:49:37 BST 2011 

I will publish a new release in a few days.

Not sure if that will include the new UI on MyZendTo or not, depends how 
quickly that gets done. If it's going to be more than a day or two, I'll 
put out a new release without it, as we obviously want to get this 
problem fixed a.s.a.p.

Jules.

On 23/05/2011 13:03, patrick.gaikowski at kaufland.com wrote:
>
> Hi Jules,
>
> will there be a patch or new release?
>
> Mit freundlichen Grüßen / Best regards
>
> Patrick Gaikowski
> Tel:     +49 7132 94 3568
> Fax:    +49 7132 94 73568
> E-Mail: patrick.gaikowski at kaufland.com
> KI 967800 IT International / Infrastruktur
> Office:
> Lindichstrasse 11
> D-74189 Weinsberg
>
>
>
> http://www.kaufland.de
> Wir sind die Nr. 1:
> Kaufland ist "Bester Lebensmittelmarkt 2011"!
>
> Kaufland Informationssysteme GmbH & Co. KG
> Postfach 12 53 - 74149 Neckarsulm
> Kommanditgesellschaft
> Sitz: Neckarsulm
> Registergericht: Amtsgericht Stuttgart HRA 104163
>
>       Inactive hide details for Jules <Jules at zend.to>Jules
>       <Jules at zend.to> 
>
>
>       *Jules <Jules at zend.to>*
>       Gesendet von: zendto-bounces at zend.to
>
>       23.05.2011 10:52
>             Bitte antworten an
>             ZendTo Users <zendto at zend.to> 
>
> 	
>
> 	
> ZendTo Users <zendto at zend.to>
>
> 	
>
> Thema
> 	
> [ZendTo] Re: Antwort: Re: Zendto is vulnerable for SQL-Injection
>
> 	
>
>
>
>
> On 22/05/2011 15:09, _patrick.gaikowski at kaufland.com_ 
> <mailto:patrick.gaikowski at kaufland.com>wrote:
>
>
>       Hi,
>
>       we engaged a company for penetration testing of web applications
>       and thats why i tried to be prepared....
>
>       I used the tool "burp suite" which is a http/https proxy for
>       intercepting web requests / responses.
>           o i made a dropoff request without username / password -->
>             only ReCaptcha
>
> Definitely a bug, now fixed. Well done!
>
>    *
>
>
>     * i intercepted the POST to dropoff.php
>
>       /
>       (See attached file: dropoff)/ 
>
> Great, XML, my favourite. :-)
>
>     * in the tool you can send the POST to the repeating module and
>       modify the POST
>     * i was able the send the upload a various times --> the limit
>       will be the free space on the host system -->can be used for
>       blow up the system and perhaps crash the system
>
> If you don't complete the upload, then you will be able to do that. 
> Once the upload has finished, the auth code should be removed (and now 
> is! :-) (unless you're a logged in user, at which point we can hunt 
> you down anyway).
> I'm not particularly worried about attacks by logged in users. They 
> can just repeat the entire upload process as many times as they like 
> anyway, uploading either the same files or different files each time.
>
>    *
>
>
>     * i was able to change for example the email-address of the
>       recipient (only the domain defined in preferences.php) in the
>       POST--> can be used for SPAM if the email domain is not
>       configured correctly
>
> Agreed. You can indeed change the email address of the recipient in 
> the upload. But then again you can just make your automated hacking 
> system slightly more clever and do multiple uploads to anyone you like 
> in the the preferences.php configured domain. So I am not worried 
> about that either.
>
>
>       Is it possible to limit the lifetime of the auth-Parameterto
>       only one request? 
>
> Well spotted, yes that is a bug. Fixed. That should take care of the 
> multiple uploads exploits you found above too.
>
> Many thanks for finding these for me, it is much appreciated!
>
> Cheers,
> Jules
>
> -- 
> Julian Field MEng CITP CEng
> _www.Zend.To_ <http://www.zend.to/>
>
> Follow me at twitter.com/JulesFM
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> 'All programs have a desire to be useful' - Tron, 1982
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

Jules

-- 
Julian Field MEng CITP CEng
www.Zend.To

Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

'All programs have a desire to be useful' - Tron, 1982

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110523/b0101f59/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 105 bytes
Desc: not available
Url : http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110523/b0101f59/attachment-0002.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110523/b0101f59/attachment-0003.gif

More information about the ZendTo mailing list