[ZendTo] Using a foreign ZendTo-Server as a file hoster
Scheidt, Stefan
s.scheidt at cramer.de
Wed Sep 17 20:43:37 BST 2014
Hi!
I think I just found a serious flaw in the default templates shipped
with ZendTo.
If you upload a file as an unauthorized user, the claimID and
claimPasscode are included as hidden fields in the "Drop-Off Summary"
page as a part of the "deleteDropoff" form, even if you don't have
the permission to delete the DropOff.
If you send some files to a non-existent recipient matching the
emailDomainRegexp (e.g. nonexistentmail at validdomain.example) you can
simply build your own pickup link and forward this link to any mail
address you like or post it on the net.
Using this method you can abuse any ZendTo-server (using the default
templates) as a file-hoster.
Solution:
In the template "show_dropoff.tpl", find the following lines:
(Lines 75-82 in 4.11-14)
|<form name="deleteDropoff" method="post"
action="{$zendToURL}delete.php">
| <input type="hidden" name="claimID" value="{$claimID}"/>
| <input type="hidden" name="claimPasscode" value="{$claimPasscode}"/>
|
| {if $emailAddr ne ""}
| <input type="hidden" name="emailAddr" value="{$emailAddr}"/>
| {/if}
|</form>
and enclose it in a conditional block (e.g. {if $isAuthorizedUser}{/if})
I used a clean install of the 4.11-14.tgz for testing purposes.
Can anybody confirm this behaviour or prove me wrong?
Greetings from Germany and thanks for such a great piece of software...
Stefan Scheidt
More information about the ZendTo
mailing list