[ZendTo] Using a foreign ZendTo-Server as a file hoster

[Scheidt, Stefan]

Hi!

I think I just found a serious flaw in the default templates shipped 
with ZendTo.

If you upload a file as an unauthorized user, the claimID and 
claimPasscode are included as hidden fields in the "Drop-Off Summary" 
page as a part of the "deleteDropoff" form, even if you don't have 
the permission to delete the DropOff.

If you send some files to a non-existent recipient matching the
emailDomainRegexp (e.g. nonexistentmail at validdomain.example) you can 
simply build your own pickup link and forward this link to any mail 
address you like or post it on the net. 

Using this method you can abuse any ZendTo-server (using the default 
templates) as a file-hoster. 

Solution:
In the template "show_dropoff.tpl", find the following lines:
(Lines 75-82 in 4.11-14)

|<form name="deleteDropoff" method="post"
action="{$zendToURL}delete.php">
|  <input type="hidden" name="claimID" value="{$claimID}"/>
|  <input type="hidden" name="claimPasscode" value="{$claimPasscode}"/>
|
| {if $emailAddr ne ""}
|   <input type="hidden" name="emailAddr" value="{$emailAddr}"/>
| {/if}
|</form>

and enclose it in a conditional block (e.g. {if $isAuthorizedUser}{/if})

I used a clean install of the 4.11-14.tgz for testing purposes.
Can anybody confirm this behaviour or prove me wrong?

Greetings from Germany and thanks for such a great piece of software...

Stefan Scheidt