[ZendTo] Re: Using a foreign ZendTo-Server as a file hoster
John Thurston
john.thurston at alaska.gov
Thu Sep 18 20:38:09 BST 2014
On 9/18/2014 11:26 AM, John Thurston wrote:
> On 9/17/2014 11:43 AM, Scheidt, Stefan wrote:
>> Hi!
>>
>> I think I just found a serious flaw in the default templates shipped
>> with ZendTo.
>>
>> If you upload a file as an unauthorized user, the claimID and
>> claimPasscode are included as hidden fields in the "Drop-Off Summary"
>> page as a part of the "deleteDropoff" form, even if you don't have
>> the permission to delete the DropOff.
> - snip -
> Solution:
> In the template "show_dropoff.tpl", find the following lines:
> (Lines 75-82 in 4.11-14)
>
> |<form name="deleteDropoff" method="post"
> action="{$zendToURL}delete.php">
> | <input type="hidden" name="claimID" value="{$claimID}"/>
> | <input type="hidden" name="claimPasscode" value="{$claimPasscode}"/>
> |
> | {if $emailAddr ne ""}
> | <input type="hidden" name="emailAddr" value="{$emailAddr}"/>
> | {/if}
> |</form>
Your proposed fix does appear to work as expected without breaking the
behavior for legitimate users.
Have you looked at the other templates for other oddities? I'm heading
there next, but it would useful to know if I'm covering old ground.
--
Do things because you should, not just because you can.
John Thurston 907-465-8591
John.Thurston at alaska.gov
Enterprise Technology Services
Department of Administration
State of Alaska
More information about the ZendTo
mailing list