[ZendTo] Re: Using a foreign ZendTo-Server as a file hoster

John Thurston john.thurston at alaska.gov
Thu Sep 18 20:38:09 BST 2014


On 9/18/2014 11:26 AM, John Thurston wrote:
> On 9/17/2014 11:43 AM, Scheidt, Stefan wrote:
>> Hi!
>>
>> I think I just found a serious flaw in the default templates shipped
>> with ZendTo.
>>
>> If you upload a file as an unauthorized user, the claimID and
>> claimPasscode are included as hidden fields in the "Drop-Off Summary"
>> page as a part of the "deleteDropoff" form, even if you don't have
>> the permission to delete the DropOff.
> - snip -

> Solution:
> In the template "show_dropoff.tpl", find the following lines:
> (Lines 75-82 in 4.11-14)
>
> |<form name="deleteDropoff" method="post"
> action="{$zendToURL}delete.php">
> |  <input type="hidden" name="claimID" value="{$claimID}"/>
> |  <input type="hidden" name="claimPasscode" value="{$claimPasscode}"/>
> |
> | {if $emailAddr ne ""}
> |   <input type="hidden" name="emailAddr" value="{$emailAddr}"/>
> | {/if}
> |</form>


Your proposed fix does appear to work as expected without breaking the 
behavior for legitimate users.

Have you looked at the other templates for other oddities? I'm heading 
there next, but it would useful to know if I'm covering old ground.
-- 
    Do things because you should, not just because you can.

John Thurston    907-465-8591
John.Thurston at alaska.gov
Enterprise Technology Services
Department of Administration
State of Alaska


More information about the ZendTo mailing list