[ZendTo] Re: Antwort: Re: Zendto is vulnerable for SQL-Injection

Jules Jules at Zend.To
Mon May 23 16:50:02 BST 2011 

I don't think I can easily do that, sorry.

On 23/05/2011 13:55, Jason Ede wrote:
>
> Jules,
>
> Could you make it so were only allowed 1 active upload stream as well? 
> That way even if tried creating lots of extra files whilst a larger 
> one was uploading then it wouldn't work  as an exploit...
>
> Jason
>
> *From:*zendto-bounces at zend.to [mailto:zendto-bounces at zend.to] *On 
> Behalf Of *Jules
> *Sent:* 23 May 2011 09:53
> *To:* ZendTo Users
> *Subject:* [ZendTo] Re: Antwort: Re: Zendto is vulnerable for 
> SQL-Injection
>
>
>
> On 22/05/2011 15:09, patrick.gaikowski at kaufland.com 
> <mailto:patrick.gaikowski at kaufland.com> wrote:
>
> Hi,
>
> we engaged a company for penetration testing of web applications and 
> thats why i tried to be prepared....
>
> I used the tool "burp suite" which is a http/https proxy for 
> intercepting web requests / responses.
>
>     * i made a dropoff request without username / password --> only
>       ReCaptcha
>
> Definitely a bug, now fixed. Well done!
>
>    *
>     * i intercepted the POST to dropoff.php
>
>
> /(See attached file: dropoff)/
>
> Great, XML, my favourite. :-)
>
>     * in the tool you can send the POST to the repeating module and
>       modify the POST
>     * i was able the send the upload a various times --> the limit
>       will be the free space on the host system -->can be used for
>       blow up the system and perhaps crash the system
>
> If you don't complete the upload, then you will be able to do that. 
> Once the upload has finished, the auth code should be removed (and now 
> is! :-) (unless you're a logged in user, at which point we can hunt 
> you down anyway).
> I'm not particularly worried about attacks by logged in users. They 
> can just repeat the entire upload process as many times as they like 
> anyway, uploading either the same files or different files each time.
>
>    *
>     * i was able to change for example the email-address of the
>       recipient (only the domain defined in preferences.php) in the
>       POST--> can be used for SPAM if the email domain is not
>       configured correctly
>
> Agreed. You can indeed change the email address of the recipient in 
> the upload. But then again you can just make your automated hacking 
> system slightly more clever and do multiple uploads to anyone you like 
> in the the preferences.php configured domain. So I am not worried 
> about that either.
>
>
> Is it possible to limit the lifetime of the auth-Parameterto only one 
> request?
>
> Well spotted, yes that is a bug. Fixed. That should take care of the 
> multiple uploads exploits you found above too.
>
> Many thanks for finding these for me, it is much appreciated!
>
> Cheers,
>
> Jules
>   
> -- 
> Julian Field MEng CITP CEng
> www.Zend.To  <http://www.Zend.To>
>   
> Follow me at twitter.com/JulesFM
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>   
> 'All programs have a desire to be useful' - Tron, 1982
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

Jules

-- 
Julian Field MEng CITP CEng
www.Zend.To

Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

'All programs have a desire to be useful' - Tron, 1982

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110523/1cf6a06b/attachment-0001.html

More information about the ZendTo mailing list