[ZendTo] Re: Antwort: Re: Zendto is vulnerable for SQL-Injection

Mon May 23 16:55:13 BST 2011

Thank you, have a good evening!

-Ken

Ken Buska
Director of Technical Operations
Computer Lab Solutions
255 B Street #207
Idaho Falls, ID, 83402
tel: (877) 299-6241 x500
fax: (877) 279-2486
Intl tel: +1 (801) 447-2778 x500
Intl fax: +1 (801) 823-2210
email: support at computerlabsolutions.com
helpdesk: http://helpdesk.computerlabsolutions.com

On Mon, May 23, 2011 at 9:50 AM, Jules <Jules at zend.to> wrote:

>  You will get them when I release them, which will be in the next day or
> two.
>
> Jules.
>
>
> On 23/05/2011 16:37, Ken Buska wrote:
>
> Jules,
>
> how can we get these fixes? is there a source repository somewhere?
>
> Cheers,
> Ken
>
>
>
> On Mon, May 23, 2011 at 2:52 AM, Jules <Jules at zend.to> wrote:
>
>>
>>
>> On 22/05/2011 15:09, patrick.gaikowski at kaufland.com wrote:
>>
>> Hi,
>>
>> we engaged a company for penetration testing of web applications and thats
>> why i tried to be prepared....
>>
>> I used the tool "burp suite" which is a http/https proxy for intercepting
>> web requests / responses.
>>
>>    - i made a dropoff request without username / password --> only
>>    ReCaptcha
>>
>>  Definitely a bug, now fixed. Well done!
>>
>>
>>    -
>>     - i intercepted the POST to dropoff.php
>>
>>
>> *(See attached file: dropoff)*
>>
>>  Great, XML, my favourite. :-)
>>
>>
>>    - in the tool you can send the POST to the repeating module and modify
>>    the POST
>>    - i was able the send the upload a various times --> the limit will be
>>    the free space on the host system --> can be used for blow up the
>>    system and perhaps crash the system
>>
>>  If you don't complete the upload, then you will be able to do that. Once
>> the upload has finished, the auth code should be removed (and now is! :-)
>> (unless you're a logged in user, at which point we can hunt you down
>> anyway).
>> I'm not particularly worried about attacks by logged in users. They can
>> just repeat the entire upload process as many times as they like anyway,
>> uploading either the same files or different files each time.
>>
>>
>>    -
>>     - i was able to change for example the email-address of the recipient
>>    (only the domain defined in preferences.php) in the POST--> can be
>>    used for SPAM if the email domain is not configured correctly
>>
>>  Agreed. You can indeed change the email address of the recipient in the
>> upload. But then again you can just make your automated hacking system
>> slightly more clever and do multiple uploads to anyone you like in the the
>> preferences.php configured domain. So I am not worried about that either.
>>
>>
>> Is it possible to limit the lifetime of the auth-Parameter to only one
>> request?
>>
>>  Well spotted, yes that is a bug. Fixed. That should take care of the
>> multiple uploads exploits you found above too.
>>
>> Many thanks for finding these for me, it is much appreciated!
>>
>> Cheers,
>>
>> Jules
>>
>> --
>> Julian Field MEng CITP CEng
>> www.Zend.To
>>
>> Follow me at twitter.com/JulesFM
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>
>> 'All programs have a desire to be useful' - Tron, 1982
>>
>>
>> _______________________________________________
>> ZendTo mailing list
>> ZendTo at zend.to
>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>>
>
>
> _______________________________________________
> ZendTo mailing listZendTo at zend.tohttp://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
>
> Jules
>
> --
> Julian Field MEng CITP CEngwww.Zend.To
>
> Follow me at twitter.com/JulesFM
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> 'All programs have a desire to be useful' - Tron, 1982
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20110523/4cdbf821/attachment.html 