[ZendTo] Re: Antwort: Re: Zendto is vulnerable for SQL-Injection

Mon May 23 16:50:25 BST 2011

You will get them when I release them, which will be in the next day or two.

Jules.

On 23/05/2011 16:37, Ken Buska wrote:
> Jules,
>
> how can we get these fixes? is there a source repository somewhere?
>
> Cheers,
> Ken
>
>
>
> On Mon, May 23, 2011 at 2:52 AM, Jules <Jules at zend.to 
> <mailto:Jules at zend.to>> wrote:
>
>
>
>     On 22/05/2011 15:09, patrick.gaikowski at kaufland.com
>     <mailto:patrick.gaikowski at kaufland.com> wrote:
>>
>>     Hi,
>>
>>     we engaged a company for penetration testing of web applications
>>     and thats why i tried to be prepared....
>>
>>     I used the tool "burp suite" which is a http/https proxy for
>>     intercepting web requests / responses.
>>
>>         * i made a dropoff request without username / password -->
>>           only ReCaptcha
>>
>     Definitely a bug, now fixed. Well done!
>
>>        *
>>
>>
>>         * i intercepted the POST to dropoff.php
>>
>>
>>     /(See attached file: dropoff)/
>     Great, XML, my favourite. :-)
>
>>         * in the tool you can send the POST to the repeating module
>>           and modify the POST
>>         * i was able the send the upload a various times --> the
>>           limit will be the free space on the host system -->can be
>>           used for blow up the system and perhaps crash the system
>>
>     If you don't complete the upload, then you will be able to do
>     that. Once the upload has finished, the auth code should be
>     removed (and now is! :-) (unless you're a logged in user, at which
>     point we can hunt you down anyway).
>     I'm not particularly worried about attacks by logged in users.
>     They can just repeat the entire upload process as many times as
>     they like anyway, uploading either the same files or different
>     files each time.
>
>>        *
>>
>>
>>         * i was able to change for example the email-address of the
>>           recipient (only the domain defined in preferences.php) in
>>           the POST--> can be used for SPAM if the email domain is not
>>           configured correctly
>>
>     Agreed. You can indeed change the email address of the recipient
>     in the upload. But then again you can just make your automated
>     hacking system slightly more clever and do multiple uploads to
>     anyone you like in the the preferences.php configured domain. So I
>     am not worried about that either.
>
>>
>>     Is it possible to limit the lifetime of the auth-Parameterto only
>>     one request?
>     Well spotted, yes that is a bug. Fixed. That should take care of
>     the multiple uploads exploits you found above too.
>
>     Many thanks for finding these for me, it is much appreciated!
>
>     Cheers,
>
>     Jules
>
>     -- 
>     Julian Field MEng CITP CEng
>     www.Zend.To <http://www.Zend.To> Follow me at twitter.com/JulesFM
>     <http://twitter.com/JulesFM> PGP footprint: EE81 D763 3DB0 0BFD
>     E1DC 7222 11F6 5947 1415 B654 'All programs have a desire to be
>     useful' - Tron, 1982
>
>
>     _______________________________________________
>     ZendTo mailing list
>     ZendTo at zend.to <mailto:ZendTo at zend.to>
>     http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

Jules

-- 
Julian Field MEng CITP CEng
www.Zend.To

Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

'All programs have a desire to be useful' - Tron, 1982

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110523/4ed0ea33/attachment.html 