From chris.venter1 at gmail.com  Tue Mar  1 19:14:53 2016
From: chris.venter1 at gmail.com (Chris Venter)
Date: Tue, 1 Mar 2016 19:14:53 +0000
Subject: [ZendTo] XSS
Message-ID: <CAPgmoWbKJhuO28MxfTko_d3AfipunRC7d45N-sZ30Vmo6hssdQ@mail.gmail.com>

Hi

Our security audit has highlighted a possible reflected cross site
scripting error on the pickup.php page,to test we ran

https://server_name/pickup/php?emailAddr=test" /><script>alert('XSS
Test')</script>

Can anyone else confirm if this is an issue?

Thanks
CJ
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20160301/b31b03a5/attachment.html 

From kbe2 at lehigh.edu  Tue Mar  1 22:09:54 2016
From: kbe2 at lehigh.edu (Keith Erekson)
Date: Tue, 1 Mar 2016 17:09:54 -0500
Subject: [ZendTo] XSS
In-Reply-To: <CAPgmoWbKJhuO28MxfTko_d3AfipunRC7d45N-sZ30Vmo6hssdQ@mail.gmail.com>
References: <CAPgmoWbKJhuO28MxfTko_d3AfipunRC7d45N-sZ30Vmo6hssdQ@mail.gmail.com>
Message-ID: <56D61332.8010800@lehigh.edu>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Tested on Mac OS X 10.10, seems to work in Firefox (41 and 44), but not
Chrome (48) nor Safari (9).

(pickup.php, not pickup/php for anyone who wants to try)

~Keith

On 03/01/2016 02:14 PM, Chris Venter wrote:
> Hi
>
> Our security audit has highlighted a possible reflected cross site
scripting error on the pickup.php page,to test we ran
>
> https://server_name/pickup/php?emailAddr=test" /><script>alert('XSS
Test')</script>
>
> Can anyone else confirm if this is an issue?
>
> Thanks
> CJ
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJW1hMwAAoJEMdFVhhDm2SFxyEH+wVvzU2y4/Th4oMZKZruI+cb
At3pe8Sh/pEbMYgLUr7jpnuRKMPXs2Q+W7r0f9m/7P8s0TYWsfpOBhW7v2FC7uQ5
wep0NfZUByqFZpARocE9WB/2zRxh6oxOOy1RCcZjjnCNKBF2aVBvJUF7kfl2O57O
CwsWnXfosMNwBOsLTWzbSaV+FsoPLX4Ow5RH/cI1eBd64TLxOr+tmIsXatp+vua7
dtilpqxehF1REMyZyJx0e6u2pTdrsFJ5HoPinkk8GbsS2Q+hFfctan7NMsUr2gdP
BBmnSlSvAd3nzlFhlSApIA/+JbfSD6eooDcUxxNWJhWZP32s31+uTcg+OyIJWf8=
=tpYG
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20160301/40fe5e91/attachment.html 

From Brian.Pocock at nebulas.co.uk  Wed Mar  2 06:57:32 2016
From: Brian.Pocock at nebulas.co.uk (Brian Pocock)
Date: Wed, 2 Mar 2016 06:57:32 +0000
Subject: [ZendTo] XSS
In-Reply-To: <56D61332.8010800@lehigh.edu>
References: <CAPgmoWbKJhuO28MxfTko_d3AfipunRC7d45N-sZ30Vmo6hssdQ@mail.gmail.com>
	<56D61332.8010800@lehigh.edu>
Message-ID: <F1B4CF17-A8A1-4049-B6CB-6F70F68E3A2F@nebulas.co.uk>

What version of Zend.to are you running? There is a known XSS in an earlier version of code.

Brian Pocock - Consultant
Nebulas

On 1 Mar 2016, at 22:14, Keith Erekson <kbe2 at lehigh.edu<mailto:kbe2 at lehigh.edu>> wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Tested on Mac OS X 10.10, seems to work in Firefox (41 and 44), but not Chrome (48) nor Safari (9).

(pickup.php, not pickup/php for anyone who wants to try)

~Keith

On 03/01/2016 02:14 PM, Chris Venter wrote:
> Hi
>
> Our security audit has highlighted a possible reflected cross site scripting error on the pickup.php page,to test we ran
>
> https://server_name/pickup/php?emailAddr=test" /><script>alert('XSS Test')</script>
>
> Can anyone else confirm if this is an issue?
>
> Thanks
> CJ
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to<mailto:ZendTo at zend.to>
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJW1hMwAAoJEMdFVhhDm2SFxyEH+wVvzU2y4/Th4oMZKZruI+cb
At3pe8Sh/pEbMYgLUr7jpnuRKMPXs2Q+W7r0f9m/7P8s0TYWsfpOBhW7v2FC7uQ5
wep0NfZUByqFZpARocE9WB/2zRxh6oxOOy1RCcZjjnCNKBF2aVBvJUF7kfl2O57O
CwsWnXfosMNwBOsLTWzbSaV+FsoPLX4Ow5RH/cI1eBd64TLxOr+tmIsXatp+vua7
dtilpqxehF1REMyZyJx0e6u2pTdrsFJ5HoPinkk8GbsS2Q+hFfctan7NMsUr2gdP
BBmnSlSvAd3nzlFhlSApIA/+JbfSD6eooDcUxxNWJhWZP32s31+uTcg+OyIJWf8=
=tpYG
-----END PGP SIGNATURE-----

_______________________________________________
ZendTo mailing list
ZendTo at zend.to<mailto:ZendTo at zend.to>
http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
Company name: Nebulas Solutions Group Ltd Company Registration Number: 04281153 Place of Registration: England and Wales Registered Office Address: 256 Waterloo Road, London, SE1 8RF
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20160302/2e1a1182/attachment.html 

From mailinglists at pcfreak.de  Wed Mar  2 13:09:53 2016
From: mailinglists at pcfreak.de (Der PCFreak)
Date: Wed, 2 Mar 2016 14:09:53 +0100
Subject: [ZendTo] XSS
In-Reply-To: <CAPgmoWbKJhuO28MxfTko_d3AfipunRC7d45N-sZ30Vmo6hssdQ@mail.gmail.com>
References: <CAPgmoWbKJhuO28MxfTko_d3AfipunRC7d45N-sZ30Vmo6hssdQ@mail.gmail.com>
Message-ID: <56D6E621.3040507@pcfreak.de>

Hi,

Barracuda offers their "Barracuda Vulnerability Manager" for free at the 
moment and I tested it.
https://bvm.barracudanetworks.com/


Here some of the results pointed at my ZendTo installation:


Reflected Cross-Site Scripting
==============================
https://your.url.tld/pickup.php
Issue Detail
The emailAddr parameter was submitted with the value 
"--><script>prompt(12345)</script>lNYCi<!--, and the string was echoed 
verbatim in the output, showing that there is a reflected XSS vulnerability.

https://your.url.tld/pickup.php
Issue Detail
The auth parameter was submitted with the value 
"--><script>prompt(12345)</script>HyNzQ<!--, and the string was echoed 
verbatim in the output, showing that there is a reflected XSS vulnerability.

https://your.url.tld/pickup.php
Issue Detail
The emailAddr parameter was submitted with the value 
"--><script>prompt(12345)</script>x7RXs<!--, and the string was echoed 
verbatim in the output, showing that there is a reflected XSS vulnerability.

https://your.url.tld/pickup.php
Issue Detail
The auth parameter was submitted with the value 
"--><script>prompt(12345)</script>WqYcq<!--, and the string was echoed 
verbatim in the output, showing that there is a reflected XSS vulnerability.

HTML-Injection
==============
https://your.url.tld/pickup.php
Issue Detail
The emailAddr parameter was submitted with the value <h1>tjkgr</h1>, and 
this value was echoed back verbatim in the resulting page.

https://your.url.tld/pickup.php
Issue Detail
The auth parameter was submitted with the value <h1>xt90x</h1>, and this 
value was echoed back verbatim in the resulting page.

https://your.url.tld/pickup.php
Issue Detail
The emailAddr parameter was submitted with the value <h1>zrjja</h1>, and 
this value was echoed back verbatim in the resulting page.
View Full HTTP Request and Response

https://your.url.tld/pickup.php
Issue Detail
The auth parameter was submitted with the value <h1>anhxx</h1>, and this 
value was echoed back verbatim in the resulting page.

Kind regards

PCFreak





On 01.03.2016 20:14, Chris Venter wrote:
> Hi
>
> Our security audit has highlighted a possible reflected cross site 
> scripting error on the pickup.php page,to test we ran
>
> https://server_name/pickup/php?emailAddr=test" /><script>alert('XSS 
> Test')</script>
>
> Can anyone else confirm if this is an issue?
>
> Thanks
> CJ
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20160302/c8e8792e/attachment.html 

From karl.bundy at aldentorch.com  Wed Mar  2 15:28:19 2016
From: karl.bundy at aldentorch.com (Karl Bundy)
Date: Wed, 2 Mar 2016 15:28:19 +0000
Subject: [ZendTo] XSS
In-Reply-To: <56D6E621.3040507@pcfreak.de>
References: <CAPgmoWbKJhuO28MxfTko_d3AfipunRC7d45N-sZ30Vmo6hssdQ@mail.gmail.com>
	<56D6E621.3040507@pcfreak.de>
Message-ID: <a9b2f059d6424b84b0a3afa5fc891203@MBX03B-IAD3.mex08.mlsrvr.com>

Hi everyone,

It appears that the issue is due to the fact that the email querystring variable is not being sanitized before being used.  I am not a skilled programmer, but I was able to make this simple change to the pickup.php file and it appears to have resolved this XSS issue.  Please use this at your own risk, as it appears to work for me, but your mileage may vary ;)

In the pickup.php file change this line:

$emailAddr = isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL);

to this:

$emailAddr = str_replace('"','',isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL));


Save the file, and then test again.


---Karl Bundy

From: zendto-bounces at zend.to [mailto:zendto-bounces at zend.to] On Behalf Of Der PCFreak
Sent: Wednesday, March 02, 2016 6:10 AM
To: zendto at zend.to
Subject: Re: [ZendTo] XSS

Hi,

Barracuda offers their "Barracuda Vulnerability Manager" for free at the moment and I tested it.
https://bvm.barracudanetworks.com/


Here some of the results pointed at my ZendTo installation:


Reflected Cross-Site Scripting
==============================
https://your.url.tld/pickup.php
Issue Detail
The emailAddr parameter was submitted with the value "--><script>prompt(12345)</script>lNYCi<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.

https://your.url.tld/pickup.php
Issue Detail
The auth parameter was submitted with the value "--><script>prompt(12345)</script>HyNzQ<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.

https://your.url.tld/pickup.php
Issue Detail
The emailAddr parameter was submitted with the value "--><script>prompt(12345)</script>x7RXs<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.

https://your.url.tld/pickup.php
Issue Detail
The auth parameter was submitted with the value "--><script>prompt(12345)</script>WqYcq<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.

HTML-Injection
==============
https://your.url.tld/pickup.php
Issue Detail
The emailAddr parameter was submitted with the value <h1>tjkgr</h1>, and this value was echoed back verbatim in the resulting page.

https://your.url.tld/pickup.php
Issue Detail
The auth parameter was submitted with the value <h1>xt90x</h1>, and this value was echoed back verbatim in the resulting page.

https://your.url.tld/pickup.php
Issue Detail
The emailAddr parameter was submitted with the value <h1>zrjja</h1>, and this value was echoed back verbatim in the resulting page.
View Full HTTP Request and Response

https://your.url.tld/pickup.php
Issue Detail
The auth parameter was submitted with the value <h1>anhxx</h1>, and this value was echoed back verbatim in the resulting page.

Kind regards

PCFreak




On 01.03.2016 20:14, Chris Venter wrote:
Hi
Our security audit has highlighted a possible reflected cross site scripting error on the pickup.php page,to test we ran

https://server_name/pickup/php?emailAddr=test" /><script>alert('XSS Test')</script>

Can anyone else confirm if this is an issue?
Thanks
CJ




_______________________________________________

ZendTo mailing list

ZendTo at zend.to<mailto:ZendTo at zend.to>

http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20160302/675b5fa4/attachment.html 

From karl.bundy at aldentorch.com  Wed Mar  2 15:29:32 2016
From: karl.bundy at aldentorch.com (Karl Bundy)
Date: Wed, 2 Mar 2016 15:29:32 +0000
Subject: [ZendTo] XSS
References: <CAPgmoWbKJhuO28MxfTko_d3AfipunRC7d45N-sZ30Vmo6hssdQ@mail.gmail.com>
	<56D6E621.3040507@pcfreak.de> 
Message-ID: <2c7e9e6e199149f7a61114147ebe3ced@MBX03B-IAD3.mex08.mlsrvr.com>

I forgot to mention that this was based on the code for version 4.12

--- Karl Bundy

From: Karl Bundy
Sent: Wednesday, March 02, 2016 8:28 AM
To: zendto at zend.to
Subject: RE: [ZendTo] XSS

Hi everyone,

It appears that the issue is due to the fact that the email querystring variable is not being sanitized before being used.  I am not a skilled programmer, but I was able to make this simple change to the pickup.php file and it appears to have resolved this XSS issue.  Please use this at your own risk, as it appears to work for me, but your mileage may vary ;)

In the pickup.php file change this line:

$emailAddr = isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL);

to this:

$emailAddr = str_replace('"','',isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL));


Save the file, and then test again.


---Karl Bundy

From: zendto-bounces at zend.to<mailto:zendto-bounces at zend.to> [mailto:zendto-bounces at zend.to] On Behalf Of Der PCFreak
Sent: Wednesday, March 02, 2016 6:10 AM
To: zendto at zend.to<mailto:zendto at zend.to>
Subject: Re: [ZendTo] XSS

Hi,

Barracuda offers their "Barracuda Vulnerability Manager" for free at the moment and I tested it.
https://bvm.barracudanetworks.com/


Here some of the results pointed at my ZendTo installation:


Reflected Cross-Site Scripting
==============================
https://your.url.tld/pickup.php
Issue Detail
The emailAddr parameter was submitted with the value "--><script>prompt(12345)</script>lNYCi<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.

https://your.url.tld/pickup.php
Issue Detail
The auth parameter was submitted with the value "--><script>prompt(12345)</script>HyNzQ<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.

https://your.url.tld/pickup.php
Issue Detail
The emailAddr parameter was submitted with the value "--><script>prompt(12345)</script>x7RXs<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.

https://your.url.tld/pickup.php
Issue Detail
The auth parameter was submitted with the value "--><script>prompt(12345)</script>WqYcq<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.

HTML-Injection
==============
https://your.url.tld/pickup.php
Issue Detail
The emailAddr parameter was submitted with the value <h1>tjkgr</h1>, and this value was echoed back verbatim in the resulting page.

https://your.url.tld/pickup.php
Issue Detail
The auth parameter was submitted with the value <h1>xt90x</h1>, and this value was echoed back verbatim in the resulting page.

https://your.url.tld/pickup.php
Issue Detail
The emailAddr parameter was submitted with the value <h1>zrjja</h1>, and this value was echoed back verbatim in the resulting page.
View Full HTTP Request and Response

https://your.url.tld/pickup.php
Issue Detail
The auth parameter was submitted with the value <h1>anhxx</h1>, and this value was echoed back verbatim in the resulting page.

Kind regards

PCFreak



On 01.03.2016 20:14, Chris Venter wrote:
Hi
Our security audit has highlighted a possible reflected cross site scripting error on the pickup.php page,to test we ran

https://server_name/pickup/php?emailAddr=test" /><script>alert('XSS Test')</script>

Can anyone else confirm if this is an issue?
Thanks
CJ



_______________________________________________

ZendTo mailing list

ZendTo at zend.to<mailto:ZendTo at zend.to>

http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20160302/79e4dd4d/attachment-0001.html 

From chris.venter1 at gmail.com  Wed Mar  2 16:27:41 2016
From: chris.venter1 at gmail.com (Chris Venter)
Date: Wed, 2 Mar 2016 16:27:41 +0000
Subject: [ZendTo] ZendTo Digest, Vol 68, Issue 3
In-Reply-To: <mailman.409.1456932575.15500.zendto@zend.to>
References: <mailman.409.1456932575.15500.zendto@zend.to>
Message-ID: <CAPgmoWbWsU3LbtkiMp4ZVgSpFecx+LwOE0DaJmgq5r8a6Xc9Ow@mail.gmail.com>

Hi All

Thanks for the help, I will try the fix and test again.

Thanks
C

On 2 March 2016 at 15:29, <zendto-request at zend.to> wrote:

> Send ZendTo mailing list submissions to
>         zendto at zend.to
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
> or, via email, send a message with subject or body 'help' to
>         zendto-request at zend.to
>
> You can reach the person managing the list at
>         zendto-owner at zend.to
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of ZendTo digest..."
>
> Today's Topics:
>
>    1. Re: XSS (Der PCFreak)
>    2. Re: XSS (Karl Bundy)
>    3. Re: XSS (Karl Bundy)
>
>
> ---------- Forwarded message ----------
> From: Der PCFreak <mailinglists at pcfreak.de>
> To: zendto at zend.to
> Cc:
> Date: Wed, 2 Mar 2016 14:09:53 +0100
> Subject: Re: [ZendTo] XSS
> Hi,
>
> Barracuda offers their "Barracuda Vulnerability Manager" for free at the
> moment and I tested it.
> https://bvm.barracudanetworks.com/
>
>
> Here some of the results pointed at my ZendTo installation:
>
>
> Reflected Cross-Site Scripting
> ==============================
> https://your.url.tld/pickup.php
> Issue Detail
> The emailAddr parameter was submitted with the value
> "--><script>prompt(12345)</script>lNYCi<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS vulnerability.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The auth parameter was submitted with the value
> "--><script>prompt(12345)</script>HyNzQ<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS vulnerability.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The emailAddr parameter was submitted with the value
> "--><script>prompt(12345)</script>x7RXs<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS vulnerability.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The auth parameter was submitted with the value
> "--><script>prompt(12345)</script>WqYcq<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS vulnerability.
>
> HTML-Injection
> ==============
> https://your.url.tld/pickup.php
> Issue Detail
> The emailAddr parameter was submitted with the value <h1>tjkgr</h1>, and
> this value was echoed back verbatim in the resulting page.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The auth parameter was submitted with the value <h1>xt90x</h1>, and this
> value was echoed back verbatim in the resulting page.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The emailAddr parameter was submitted with the value <h1>zrjja</h1>, and
> this value was echoed back verbatim in the resulting page.
> View Full HTTP Request and Response
>
> https://your.url.tld/pickup.php
> Issue Detail
> The auth parameter was submitted with the value <h1>anhxx</h1>, and this
> value was echoed back verbatim in the resulting page.
>
> Kind regards
>
> PCFreak
>
>
>
>
>
> On 01.03.2016 20:14, Chris Venter wrote:
>
> Hi
>
> Our security audit has highlighted a possible reflected cross site
> scripting error on the pickup.php page,to test we ran
>
> https://server_name/pickup/php?emailAddr=test" /><script>alert('XSS
> Test')</script>
>
> Can anyone else confirm if this is an issue?
>
> Thanks
> CJ
>
>
> _______________________________________________
> ZendTo mailing listZendTo at zend.tohttp://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
>
>
>
> ---------- Forwarded message ----------
> From: Karl Bundy <karl.bundy at aldentorch.com>
> To: ZendTo Users <zendto at zend.to>
> Cc:
> Date: Wed, 2 Mar 2016 15:28:19 +0000
> Subject: Re: [ZendTo] XSS
>
> Hi everyone,
>
>
>
> It appears that the issue is due to the fact that the email querystring
> variable is not being sanitized before being used.  I am not a skilled
> programmer, but I was able to make this simple change to the pickup.php
> file and it appears to have resolved this XSS issue.  Please use this at
> your own risk, as it appears to work for me, but your mileage may vary ;)
>
>
>
> In the pickup.php file change this line:
>
>
>
> $emailAddr =
> isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL);
>
>
>
> to this:
>
>
>
> $emailAddr =
> str_replace('"','',isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL));
>
>
>
>
>
> Save the file, and then test again.
>
>
>
>
>
> ---Karl Bundy
>
>
>
> *From:* zendto-bounces at zend.to [mailto:zendto-bounces at zend.to] *On Behalf
> Of *Der PCFreak
> *Sent:* Wednesday, March 02, 2016 6:10 AM
> *To:* zendto at zend.to
> *Subject:* Re: [ZendTo] XSS
>
>
>
> Hi,
>
> Barracuda offers their "Barracuda Vulnerability Manager" for free at the
> moment and I tested it.
> https://bvm.barracudanetworks.com/
>
>
> Here some of the results pointed at my ZendTo installation:
>
>
> Reflected Cross-Site Scripting
> ==============================
> https://your.url.tld/pickup.php
> Issue Detail
> The emailAddr parameter was submitted with the value
> "--><script>prompt(12345)</script>lNYCi<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS vulnerability.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The auth parameter was submitted with the value
> "--><script>prompt(12345)</script>HyNzQ<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS vulnerability.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The emailAddr parameter was submitted with the value
> "--><script>prompt(12345)</script>x7RXs<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS vulnerability.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The auth parameter was submitted with the value
> "--><script>prompt(12345)</script>WqYcq<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS vulnerability.
>
> HTML-Injection
> ==============
> https://your.url.tld/pickup.php
> Issue Detail
> The emailAddr parameter was submitted with the value <h1>tjkgr</h1>, and
> this value was echoed back verbatim in the resulting page.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The auth parameter was submitted with the value <h1>xt90x</h1>, and this
> value was echoed back verbatim in the resulting page.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The emailAddr parameter was submitted with the value <h1>zrjja</h1>, and
> this value was echoed back verbatim in the resulting page.
> View Full HTTP Request and Response
>
> https://your.url.tld/pickup.php
> Issue Detail
> The auth parameter was submitted with the value <h1>anhxx</h1>, and this
> value was echoed back verbatim in the resulting page.
>
> Kind regards
>
> PCFreak
>
>
>
>
> On 01.03.2016 20:14, Chris Venter wrote:
>
> Hi
>
> Our security audit has highlighted a possible reflected cross site
> scripting error on the pickup.php page,to test we ran
>
> https://server_name/pickup/php?emailAddr=test" /><script>alert('XSS
> Test')</script>
>
>
>
> Can anyone else confirm if this is an issue?
>
> Thanks
>
> CJ
>
>
>
>
> _______________________________________________
>
> ZendTo mailing list
>
> ZendTo at zend.to
>
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
>
>
>
> ---------- Forwarded message ----------
> From: Karl Bundy <karl.bundy at aldentorch.com>
> To: ZendTo Users <zendto at zend.to>
> Cc:
> Date: Wed, 2 Mar 2016 15:29:32 +0000
> Subject: Re: [ZendTo] XSS
>
> I forgot to mention that this was based on the code for version 4.12
>
>
>
> --- Karl Bundy
>
>
>
> *From:* Karl Bundy
> *Sent:* Wednesday, March 02, 2016 8:28 AM
> *To:* zendto at zend.to
> *Subject:* RE: [ZendTo] XSS
>
>
>
> Hi everyone,
>
>
>
> It appears that the issue is due to the fact that the email querystring
> variable is not being sanitized before being used.  I am not a skilled
> programmer, but I was able to make this simple change to the pickup.php
> file and it appears to have resolved this XSS issue.  Please use this at
> your own risk, as it appears to work for me, but your mileage may vary ;)
>
>
>
> In the pickup.php file change this line:
>
>
>
> $emailAddr =
> isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL);
>
>
>
> to this:
>
>
>
> $emailAddr =
> str_replace('"','',isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL));
>
>
>
>
>
> Save the file, and then test again.
>
>
>
>
>
> ---Karl Bundy
>
>
>
> *From:* zendto-bounces at zend.to [mailto:zendto-bounces at zend.to
> <zendto-bounces at zend.to>] *On Behalf Of *Der PCFreak
> *Sent:* Wednesday, March 02, 2016 6:10 AM
> *To:* zendto at zend.to
> *Subject:* Re: [ZendTo] XSS
>
>
>
> Hi,
>
> Barracuda offers their "Barracuda Vulnerability Manager" for free at the
> moment and I tested it.
> https://bvm.barracudanetworks.com/
>
>
> Here some of the results pointed at my ZendTo installation:
>
>
> Reflected Cross-Site Scripting
> ==============================
> https://your.url.tld/pickup.php
> Issue Detail
> The emailAddr parameter was submitted with the value
> "--><script>prompt(12345)</script>lNYCi<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS vulnerability.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The auth parameter was submitted with the value
> "--><script>prompt(12345)</script>HyNzQ<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS vulnerability.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The emailAddr parameter was submitted with the value
> "--><script>prompt(12345)</script>x7RXs<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS vulnerability.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The auth parameter was submitted with the value
> "--><script>prompt(12345)</script>WqYcq<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS vulnerability.
>
> HTML-Injection
> ==============
> https://your.url.tld/pickup.php
> Issue Detail
> The emailAddr parameter was submitted with the value <h1>tjkgr</h1>, and
> this value was echoed back verbatim in the resulting page.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The auth parameter was submitted with the value <h1>xt90x</h1>, and this
> value was echoed back verbatim in the resulting page.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The emailAddr parameter was submitted with the value <h1>zrjja</h1>, and
> this value was echoed back verbatim in the resulting page.
> View Full HTTP Request and Response
>
> https://your.url.tld/pickup.php
> Issue Detail
> The auth parameter was submitted with the value <h1>anhxx</h1>, and this
> value was echoed back verbatim in the resulting page.
>
> Kind regards
>
> PCFreak
>
>
>
> On 01.03.2016 20:14, Chris Venter wrote:
>
> Hi
>
> Our security audit has highlighted a possible reflected cross site
> scripting error on the pickup.php page,to test we ran
>
> https://server_name/pickup/php?emailAddr=test" /><script>alert('XSS
> Test')</script>
>
>
>
> Can anyone else confirm if this is an issue?
>
> Thanks
>
> CJ
>
>
>
> _______________________________________________
>
> ZendTo mailing list
>
> ZendTo at zend.to
>
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20160302/24f9005c/attachment-0001.html 

From Jules at Zend.To  Wed Mar  2 17:06:58 2016
From: Jules at Zend.To (Jules)
Date: Wed, 2 Mar 2016 17:06:58 +0000
Subject: [ZendTo] XSS
In-Reply-To: <a9b2f059d6424b84b0a3afa5fc891203@MBX03B-IAD3.mex08.mlsrvr.com>
References: <CAPgmoWbKJhuO28MxfTko_d3AfipunRC7d45N-sZ30Vmo6hssdQ@mail.gmail.com>
	<56D6E621.3040507@pcfreak.de>
	<a9b2f059d6424b84b0a3afa5fc891203@MBX03B-IAD3.mex08.mlsrvr.com>
Message-ID: <56D71DB2.3070103@Zend.To>

Hi guys!

Sorry about this one. The fault isn't actually in that line, it's just 
below it where it says this:

     if ( isset($recipEmail) && ! 
preg_match($theDropbox->validEmailRegexp(),$recipEmail) ) {
       $emailAddr = 'INVALID';
     }

Those 2 "$recipEmail" should of course both be "$emailAddr".

I did carefully check the email address was valid, but put in the wrong 
variable name to check. :-(
My bad.

That should fix it. No need to restart httpd or anything, just save the 
file and reload the page.

Cheers,
Jules.

P.S. Sorry I haven't done an update in *ages*. 2 questions: (1) What 
other outstanding bugs/patches are there?, and (2) Is it worth me 
re-writing the areyouahuman CAPTCHA code for their new one, or is 
everyone happy with the Google one (reCAPTCHA) that is there already?

On 02/03/2016 15:28, Karl Bundy wrote:
>
> Hi everyone,
>
> It appears that the issue is due to the fact that the email 
> querystring variable is not being sanitized before being used.  I am 
> not a skilled programmer, but I was able to make this simple change to 
> the pickup.php file and it appears to have resolved this XSS issue.  
> Please use this at your own risk, as it appears to work for me, but 
> your mileage may vary ;)
>
> In the pickup.php file change this line:
>
> $emailAddr = 
> isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL);
>
> to this:
>
> $emailAddr = 
> str_replace('"','',isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL));
>
> Save the file, and then test again.
>
> ---Karl Bundy
>
> *From:*zendto-bounces at zend.to [mailto:zendto-bounces at zend.to] *On 
> Behalf Of *Der PCFreak
> *Sent:* Wednesday, March 02, 2016 6:10 AM
> *To:* zendto at zend.to
> *Subject:* Re: [ZendTo] XSS
>
> Hi,
>
> Barracuda offers their "Barracuda Vulnerability Manager" for free at 
> the moment and I tested it.
> https://bvm.barracudanetworks.com/
>
>
> Here some of the results pointed at my ZendTo installation:
>
>
> Reflected Cross-Site Scripting
> ==============================
> https://your.url.tld/pickup.php
> Issue Detail
> The emailAddr parameter was submitted with the value 
> "--><script>prompt(12345)</script>lNYCi<!--, and the string was echoed 
> verbatim in the output, showing that there is a reflected XSS 
> vulnerability.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The auth parameter was submitted with the value 
> "--><script>prompt(12345)</script>HyNzQ<!--, and the string was echoed 
> verbatim in the output, showing that there is a reflected XSS 
> vulnerability.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The emailAddr parameter was submitted with the value 
> "--><script>prompt(12345)</script>x7RXs<!--, and the string was echoed 
> verbatim in the output, showing that there is a reflected XSS 
> vulnerability.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The auth parameter was submitted with the value 
> "--><script>prompt(12345)</script>WqYcq<!--, and the string was echoed 
> verbatim in the output, showing that there is a reflected XSS 
> vulnerability.
>
> HTML-Injection
> ==============
> https://your.url.tld/pickup.php
> Issue Detail
> The emailAddr parameter was submitted with the value <h1>tjkgr</h1>, 
> and this value was echoed back verbatim in the resulting page.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The auth parameter was submitted with the value <h1>xt90x</h1>, and 
> this value was echoed back verbatim in the resulting page.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The emailAddr parameter was submitted with the value <h1>zrjja</h1>, 
> and this value was echoed back verbatim in the resulting page.
> View Full HTTP Request and Response
>
> https://your.url.tld/pickup.php
> Issue Detail
> The auth parameter was submitted with the value <h1>anhxx</h1>, and 
> this value was echoed back verbatim in the resulting page.
>
> Kind regards
>
> PCFreak
>
>
>
>
> On 01.03.2016 20:14, Chris Venter wrote:
>
>     Hi
>
>     Our security audit has highlighted a possible reflected cross site
>     scripting error on the pickup.php page,to test we ran
>
>     https://server_name/pickup/php?emailAddr=test"
>     /><script>alert('XSS Test')</script>
>
>     Can anyone else confirm if this is an issue?
>
>     Thanks
>
>     CJ
>
>
>
>
>     _______________________________________________
>
>     ZendTo mailing list
>
>     ZendTo at zend.to <mailto:ZendTo at zend.to>
>
>     http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
> Jules
>
> -- 
> Julian Field MEng MBCS CITP CEng
>
>
> www.Zend.To
> Twitter: @JulesFM
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20160302/7be127a8/attachment.html 

From kbe2 at lehigh.edu  Wed Mar  2 18:16:02 2016
From: kbe2 at lehigh.edu (Keith Erekson)
Date: Wed, 2 Mar 2016 13:16:02 -0500
Subject: [ZendTo] XSS
In-Reply-To: <F1B4CF17-A8A1-4049-B6CB-6F70F68E3A2F@nebulas.co.uk>
References: <CAPgmoWbKJhuO28MxfTko_d3AfipunRC7d45N-sZ30Vmo6hssdQ@mail.gmail.com>
	<56D61332.8010800@lehigh.edu>
	<F1B4CF17-A8A1-4049-B6CB-6F70F68E3A2F@nebulas.co.uk>
Message-ID: <56D72DE2.70402@lehigh.edu>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

4.12-5

On 03/02/2016 01:57 AM, Brian Pocock wrote:
> What version of Zend.to are you running? There is a known XSS in an earlier version of code.
>
> Brian Pocock - Consultant
> Nebulas
>
> On 1 Mar 2016, at 22:14, Keith Erekson <kbe2 at lehigh.edu
<mailto:kbe2 at lehigh.edu>> wrote:
>
>>
> Tested on Mac OS X 10.10, seems to work in Firefox (41 and 44), but
not Chrome (48) nor Safari (9).
>
> (pickup.php, not pickup/php for anyone who wants to try)
>
> ~Keith
>
> On 03/01/2016 02:14 PM, Chris Venter wrote:
> > Hi
>
>
>
>       > Our security audit has highlighted a possible reflected cross
>       site scripting error on the pickup.php page,to test we ran
>
>
>
>       > https://server_name/pickup/php?emailAddr=test"
>       /><script>alert('XSS Test')</script>
>
>
>
>       > Can anyone else confirm if this is an issue?
>
>
>
>       > Thanks
>
>       > CJ
>
>
>
>
>
>       > _______________________________________________
>
>       > ZendTo mailing list
>
>       > ZendTo at zend.to
>
>       > http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
>>
>> _______________________________________________
>> ZendTo mailing list
>> ZendTo at zend.to <mailto:ZendTo at zend.to>
>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
> *Company name:* Nebulas Solutions Group Ltd *Company Registration
Number:* 04281153 *Place of Registration:* England and Wales *Registered
Office Address:* 256 Waterloo Road, London, SE1 8RF
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJW1y3fAAoJEMdFVhhDm2SFEhIH/2P6RW7MOzcQuAeXvfZ0Nhi7
ibG4eWItPWFizpWVec8E4rJZI9BX/3dHmwKzwf5VKHSHASywr0q4kchBYaalseeH
OcFEjKf3AlPH1rPW9l3bRxCjVKl7C5dP3s8rJpWYHCAr3uhJnv9ddC0pGUfeXafG
ccbsIU3aJ7SbLM9E6zWX9rBXAFcSpgXjydEVyqGiZ1Atl5jpeyl38EsKZmi+81uZ
ddEey+LPyHeXjbCxa/BgwCW/2WOC7vy7G9wComED4O8uw+VExhG0jMxv8sqcGdzS
cT0pqClcXWTgcj293WFi/Ek6gxiHCHcR/N/TNF8w9eLLUcz2wJJkekU3CKiD0a0=
=1x2p
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20160302/2fcb7134/attachment-0001.html 

From kbe2 at lehigh.edu  Wed Mar  2 18:29:05 2016
From: kbe2 at lehigh.edu (Keith Erekson)
Date: Wed, 2 Mar 2016 13:29:05 -0500
Subject: [ZendTo] XSS
In-Reply-To: <56D71DB2.3070103@Zend.To>
References: <CAPgmoWbKJhuO28MxfTko_d3AfipunRC7d45N-sZ30Vmo6hssdQ@mail.gmail.com>
	<56D6E621.3040507@pcfreak.de>
	<a9b2f059d6424b84b0a3afa5fc891203@MBX03B-IAD3.mex08.mlsrvr.com>
	<56D71DB2.3070103@Zend.To>
Message-ID: <56D730F1.1010006@lehigh.edu>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I can confirm that this fixes the issue.

For the Debian package, here is the patch for /opt/zendto/www/pickup.php:

- --- pickup.php.old    2016-03-02 13:25:27.000000000 -0500
+++ pickup.php    2016-03-02 13:25:30.000000000 -0500
@@ -180,7 +180,7 @@
 
     $claimID = preg_replace('/[^a-zA-Z0-9]/', '', $claimID);
     $claimPasscode = preg_replace('/[^a-zA-Z0-9]/', '', $claimPasscode);
- -    if ( isset($recipEmail) && !
preg_match($theDropbox->validEmailRegexp(),$recipEmail) ) {
+    if ( isset($emailAddr) && !
preg_match($theDropbox->validEmailRegexp(),$emailAddr) ) {
       $emailAddr = 'INVALID';
     }
 


On 03/02/2016 12:06 PM, Jules wrote:
> Hi guys!
>
> Sorry about this one. The fault isn't actually in that line, it's just
below it where it says this:
>
>     if ( isset($recipEmail) && !
preg_match($theDropbox->validEmailRegexp(),$recipEmail) ) {
>       $emailAddr = 'INVALID';
>     }
>
> Those 2 "$recipEmail" should of course both be "$emailAddr".
>
> I did carefully check the email address was valid, but put in the
wrong variable name to check. :-(
> My bad.
>
> That should fix it. No need to restart httpd or anything, just save
the file and reload the page.
>
> Cheers,
> Jules.
>
> P.S. Sorry I haven't done an update in *ages*. 2 questions: (1) What
other outstanding bugs/patches are there?, and (2) Is it worth me
re-writing the areyouahuman CAPTCHA code for their new one, or is
everyone happy with the Google one (reCAPTCHA) that is there already?
>
> On 02/03/2016 15:28, Karl Bundy wrote:
>>
>> Hi everyone,
>>
>> 
>>
>> It appears that the issue is due to the fact that the email
querystring variable is not being sanitized before being used.  I am not
a skilled programmer, but I was able to make this simple change to the
pickup.php file and it appears to have resolved this XSS issue.  Please
use this at your own risk, as it appears to work for me, but your
mileage may vary ;)
>>
>> 
>>
>> In the pickup.php file change this line:
>>
>> 
>>
>> $emailAddr =
isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL);
>>
>> 
>>
>> to this:
>>
>> 
>>
>> $emailAddr =
str_replace('"','',isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL));
>>
>> 
>>
>> 
>>
>> Save the file, and then test again.
>>
>> 
>>
>> 
>>
>> ---Karl Bundy
>>
>> 
>>
>> *From:*zendto-bounces at zend.to [mailto:zendto-bounces at zend.to] *On
Behalf Of *Der PCFreak
>> *Sent:* Wednesday, March 02, 2016 6:10 AM
>> *To:* zendto at zend.to
>> *Subject:* Re: [ZendTo] XSS
>>
>> 
>>
>> Hi,
>>
>> Barracuda offers their "Barracuda Vulnerability Manager" for free at
the moment and I tested it.
>> https://bvm.barracudanetworks.com/
>>
>>
>> Here some of the results pointed at my ZendTo installation:
>>
>>
>> Reflected Cross-Site Scripting
>> ==============================
>> https://your.url.tld/pickup.php
>> Issue Detail
>> The emailAddr parameter was submitted with the value
"--><script>prompt(12345)</script>lNYCi<!--, and the string was echoed
verbatim in the output, showing that there is a reflected XSS vulnerability.
>>
>> https://your.url.tld/pickup.php
>> Issue Detail
>> The auth parameter was submitted with the value
"--><script>prompt(12345)</script>HyNzQ<!--, and the string was echoed
verbatim in the output, showing that there is a reflected XSS vulnerability.
>>
>> https://your.url.tld/pickup.php
>> Issue Detail
>> The emailAddr parameter was submitted with the value
"--><script>prompt(12345)</script>x7RXs<!--, and the string was echoed
verbatim in the output, showing that there is a reflected XSS vulnerability.
>>
>> https://your.url.tld/pickup.php
>> Issue Detail
>> The auth parameter was submitted with the value
"--><script>prompt(12345)</script>WqYcq<!--, and the string was echoed
verbatim in the output, showing that there is a reflected XSS vulnerability.
>>
>> HTML-Injection
>> ==============
>> https://your.url.tld/pickup.php
>> Issue Detail
>> The emailAddr parameter was submitted with the value <h1>tjkgr</h1>,
and this value was echoed back verbatim in the resulting page.
>>
>> https://your.url.tld/pickup.php
>> Issue Detail
>> The auth parameter was submitted with the value <h1>xt90x</h1>, and
this value was echoed back verbatim in the resulting page.
>>
>> https://your.url.tld/pickup.php
>> Issue Detail
>> The emailAddr parameter was submitted with the value <h1>zrjja</h1>,
and this value was echoed back verbatim in the resulting page.
>> View Full HTTP Request and Response
>>
>> https://your.url.tld/pickup.php
>> Issue Detail
>> The auth parameter was submitted with the value <h1>anhxx</h1>, and
this value was echoed back verbatim in the resulting page.
>>
>> Kind regards
>>
>> PCFreak
>>
>>
>>
>>
>> On 01.03.2016 20:14, Chris Venter wrote:
>>
>>     Hi
>>
>>     Our security audit has highlighted a possible reflected cross
site scripting error on the pickup.php page,to test we ran
>>
>>     https://server_name/pickup/php?emailAddr=test"
/><script>alert('XSS Test')</script>
>>
>>     
>>
>>     Can anyone else confirm if this is an issue?
>>
>>     Thanks
>>
>>     CJ
>>
>>
>>
>>
>>     _______________________________________________
>>
>>     ZendTo mailing list
>>
>>     ZendTo at zend.to <mailto:ZendTo at zend.to>
>>
>>     http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>>
>> 
>>
>>
>>
>> _______________________________________________
>> ZendTo mailing list
>> ZendTo at zend.to
>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>>
>> Jules
>>
>> --
>> Julian Field MEng MBCS CITP CEng
>>
>>
>> www.Zend.To
>> Twitter: @JulesFM
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJW1zDuAAoJEMdFVhhDm2SFvU4H/3ql/g9ugTk9c4oclyU9ZKeX
oOd0/ZIJ0wQLEqejDkXVj8QzP2651C+8RBt96vGJMQx7N7SowfGUqOQZtKwK2hlA
B5bGzI/MXcpvolhb7GCI5LlBnfmau5L1qtRzqHJbtXgoW5k2TicEXzKpOUZwj9/J
y8HTmO8f/rqUREG3kdmQrLsqHsAbUzz63uV8ocLLPTsDq9hBNMrLlW/OtrWJ3sWk
MvKTh6PGwYMl4nLiObGoA0hYPnzzTYNv2kPLG8XeZqSp/btr3tPPadZ6NmoLYyDm
uX6G3ywdW5jAJZj2oUHu7hc6FCyItV/WewvdVDvuagecDmuVTB8zOF5J/rpQkOM=
=rcZ8
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20160302/b7a47139/attachment.html 

From chris.venter1 at gmail.com  Wed Mar  2 22:15:13 2016
From: chris.venter1 at gmail.com (Chris Venter)
Date: Wed, 2 Mar 2016 22:15:13 +0000
Subject: [ZendTo] XSS
In-Reply-To: <56D730F1.1010006@lehigh.edu>
References: <CAPgmoWbKJhuO28MxfTko_d3AfipunRC7d45N-sZ30Vmo6hssdQ@mail.gmail.com>
	<56D6E621.3040507@pcfreak.de>
	<a9b2f059d6424b84b0a3afa5fc891203@MBX03B-IAD3.mex08.mlsrvr.com>
	<56D71DB2.3070103@Zend.To> <56D730F1.1010006@lehigh.edu>
Message-ID: <CAPgmoWaw=HL_jtx9Bmt2PohGdD5dL+4OvXdMtC3zd89Lr8Lk6A@mail.gmail.com>

I can also confirm the fix from Jules has worked, Thanks for the help all,
as for the other questions reCAPTCHA is fine for our use.

Cheers
C

On 2 March 2016 at 18:29, Keith Erekson <kbe2 at lehigh.edu> wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> I can confirm that this fixes the issue.
>
> For the Debian package, here is the patch for /opt/zendto/www/pickup.php:
>
> - --- pickup.php.old    2016-03-02 13:25:27.000000000 -0500
> +++ pickup.php    2016-03-02 13:25:30.000000000 -0500
> @@ -180,7 +180,7 @@
>
>      $claimID = preg_replace('/[^a-zA-Z0-9]/', '', $claimID);
>      $claimPasscode = preg_replace('/[^a-zA-Z0-9]/', '', $claimPasscode);
> - -    if ( isset($recipEmail) && !
> preg_match($theDropbox->validEmailRegexp(),$recipEmail) ) {
> +    if ( isset($emailAddr) && !
> preg_match($theDropbox->validEmailRegexp(),$emailAddr) ) {
>        $emailAddr = 'INVALID';
>      }
>
>
>
> On 03/02/2016 12:06 PM, Jules wrote:
> > Hi guys!
> >
> > Sorry about this one. The fault isn't actually in that line, it's just
> below it where it says this:
> >
> >     if ( isset($recipEmail) && !
> preg_match($theDropbox->validEmailRegexp(),$recipEmail) ) {
> >       $emailAddr = 'INVALID';
> >     }
> >
> > Those 2 "$recipEmail" should of course both be "$emailAddr".
> >
> > I did carefully check the email address was valid, but put in the wrong
> variable name to check. :-(
> > My bad.
> >
> > That should fix it. No need to restart httpd or anything, just save the
> file and reload the page.
> >
> > Cheers,
> > Jules.
> >
> > P.S. Sorry I haven't done an update in *ages*. 2 questions: (1) What
> other outstanding bugs/patches are there?, and (2) Is it worth me
> re-writing the areyouahuman CAPTCHA code for their new one, or is everyone
> happy with the Google one (reCAPTCHA) that is there already?
> >
> > On 02/03/2016 15:28, Karl Bundy wrote:
> >>
> >> Hi everyone,
> >>
> >>
> >>
> >> It appears that the issue is due to the fact that the email querystring
> variable is not being sanitized before being used.  I am not a skilled
> programmer, but I was able to make this simple change to the pickup.php
> file and it appears to have resolved this XSS issue.  Please use this at
> your own risk, as it appears to work for me, but your mileage may vary ;)
> >>
> >>
> >>
> >> In the pickup.php file change this line:
> >>
> >>
> >>
> >> $emailAddr =
> isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL);
> >>
> >>
> >>
> >> to this:
> >>
> >>
> >>
> >> $emailAddr =
> str_replace('"','',isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL));
> >>
> >>
> >>
> >>
> >>
> >> Save the file, and then test again.
> >>
> >>
> >>
> >>
> >>
> >> ---Karl Bundy
> >>
> >>
> >>
> >> *From:*zendto-bounces at zend.to [mailto:zendto-bounces at zend.to
> <zendto-bounces at zend.to>] *On Behalf Of *Der PCFreak
> >> *Sent:* Wednesday, March 02, 2016 6:10 AM
> >> *To:* zendto at zend.to
> >> *Subject:* Re: [ZendTo] XSS
>
> >>
> >>
> >>
> >> Hi,
> >>
> >> Barracuda offers their "Barracuda Vulnerability Manager" for free at
> the moment and I tested it.
> >> https://bvm.barracudanetworks.com/
> >>
> >>
> >> Here some of the results pointed at my ZendTo installation:
> >>
> >>
> >> Reflected Cross-Site Scripting
> >> ==============================
> >> https://your.url.tld/pickup.php
> >> Issue Detail
> >> The emailAddr parameter was submitted with the value
> "--><script>prompt(12345)</script>lNYCi<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS vulnerability.
> >>
> >> https://your.url.tld/pickup.php
> >> Issue Detail
> >> The auth parameter was submitted with the value
> "--><script>prompt(12345)</script>HyNzQ<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS vulnerability.
> >>
> >> https://your.url.tld/pickup.php
> >> Issue Detail
> >> The emailAddr parameter was submitted with the value
> "--><script>prompt(12345)</script>x7RXs<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS vulnerability.
> >>
> >> https://your.url.tld/pickup.php
> >> Issue Detail
> >> The auth parameter was submitted with the value
> "--><script>prompt(12345)</script>WqYcq<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS vulnerability.
> >>
> >> HTML-Injection
> >> ==============
> >> https://your.url.tld/pickup.php
> >> Issue Detail
> >> The emailAddr parameter was submitted with the value <h1>tjkgr</h1>,
> and this value was echoed back verbatim in the resulting page.
> >>
> >> https://your.url.tld/pickup.php
> >> Issue Detail
> >> The auth parameter was submitted with the value <h1>xt90x</h1>, and
> this value was echoed back verbatim in the resulting page.
> >>
> >> https://your.url.tld/pickup.php
> >> Issue Detail
> >> The emailAddr parameter was submitted with the value <h1>zrjja</h1>,
> and this value was echoed back verbatim in the resulting page.
> >> View Full HTTP Request and Response
> >>
> >> https://your.url.tld/pickup.php
> >> Issue Detail
> >> The auth parameter was submitted with the value <h1>anhxx</h1>, and
> this value was echoed back verbatim in the resulting page.
> >>
> >> Kind regards
> >>
> >> PCFreak
> >>
> >>
> >>
> >>
> >> On 01.03.2016 20:14, Chris Venter wrote:
> >>
> >>     Hi
> >>
> >>     Our security audit has highlighted a possible reflected cross site
> scripting error on the pickup.php page,to test we ran
> >>
> >>     https://server_name/pickup/php?emailAddr=test"
> /><script>alert('XSS Test')</script>
> >>
> >>
> >>
> >>     Can anyone else confirm if this is an issue?
> >>
> >>     Thanks
> >>
> >>     CJ
> >>
> >>
> >>
> >>
> >>     _______________________________________________
> >>
> >>     ZendTo mailing list
> >>
> >>     ZendTo at zend.to <mailto:ZendTo at zend.to> <ZendTo at zend.to>
> >>
> >>     http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
> >>
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> ZendTo mailing list
> >> ZendTo at zend.to
> >> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
> >>
> >> Jules
> >>
> >> --
> >> Julian Field MEng MBCS CITP CEng
> >>
> >>
> >> www.Zend.To
> >> Twitter: @JulesFM
> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >
> >
> > _______________________________________________
> > ZendTo mailing list
> > ZendTo at zend.to
> > http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
>
> iQEcBAEBCAAGBQJW1zDuAAoJEMdFVhhDm2SFvU4H/3ql/g9ugTk9c4oclyU9ZKeX
> oOd0/ZIJ0wQLEqejDkXVj8QzP2651C+8RBt96vGJMQx7N7SowfGUqOQZtKwK2hlA
> B5bGzI/MXcpvolhb7GCI5LlBnfmau5L1qtRzqHJbtXgoW5k2TicEXzKpOUZwj9/J
> y8HTmO8f/rqUREG3kdmQrLsqHsAbUzz63uV8ocLLPTsDq9hBNMrLlW/OtrWJ3sWk
> MvKTh6PGwYMl4nLiObGoA0hYPnzzTYNv2kPLG8XeZqSp/btr3tPPadZ6NmoLYyDm
> uX6G3ywdW5jAJZj2oUHu7hc6FCyItV/WewvdVDvuagecDmuVTB8zOF5J/rpQkOM=
> =rcZ8
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20160302/b08347a3/attachment-0001.html 

From kevin.miller at juneau.org  Wed Mar  2 23:37:07 2016
From: kevin.miller at juneau.org (Kevin Miller)
Date: Wed, 2 Mar 2016 23:37:07 +0000
Subject: [ZendTo] XSS
In-Reply-To: <56D71DB2.3070103@Zend.To>
References: <CAPgmoWbKJhuO28MxfTko_d3AfipunRC7d45N-sZ30Vmo6hssdQ@mail.gmail.com>
	<56D6E621.3040507@pcfreak.de>
	<a9b2f059d6424b84b0a3afa5fc891203@MBX03B-IAD3.mex08.mlsrvr.com>
	<56D71DB2.3070103@Zend.To>
Message-ID: <4bbc10de94694a14bf883d2fdc522ad5@City-Exch-DB1.cbj.local>

>P.S. Sorry I haven't done an update in *ages*. 2 questions:
> (1) What other outstanding bugs/patches are there?, and 
>(2) Is it worth me re-writing the areyouahuman CAPTCHA 
> code for their new one, or is everyone happy with the Google 
> one (reCAPTCHA) that is there already?

Not sure about bug patches in zendto, but of late there are some significant issues regarding web server security, if you'll indulge a bit of slightly off-topic traffic.

A new attack makes all servers running SSLv2 vulnerable.
Info on the latest attack can be had here:
  https://drownattack.com/
  http://blog.cryptographyengineering.com/2016/03/attack-of-week-drown.html
Note that the attack works even if SSLv2 is "soft disabled" by disabling all SSLv2 ciphers.

To check for other vulnerabilities, run the tests at :
  https://www.ssllabs.com/ssltest/index.html

For fixes, see:
  http://blog.rlove.org/2013/12/strong-ssl-crypto.html

Regarding AreYouAHuman, I just rolled back to reCaptcha.  Options are nice, but the reCaptcha isn't nearly as odious as it was in the past.

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357



From mailinglists at pcfreak.de  Thu Mar  3 07:07:43 2016
From: mailinglists at pcfreak.de (Der PCFreak)
Date: Thu, 3 Mar 2016 08:07:43 +0100
Subject: [ZendTo] XSS
In-Reply-To: <4bbc10de94694a14bf883d2fdc522ad5@City-Exch-DB1.cbj.local>
References: <CAPgmoWbKJhuO28MxfTko_d3AfipunRC7d45N-sZ30Vmo6hssdQ@mail.gmail.com>
	<56D6E621.3040507@pcfreak.de>
	<a9b2f059d6424b84b0a3afa5fc891203@MBX03B-IAD3.mex08.mlsrvr.com>
	<56D71DB2.3070103@Zend.To>
	<4bbc10de94694a14bf883d2fdc522ad5@City-Exch-DB1.cbj.local>
Message-ID: <56D7E2BF.90805@pcfreak.de>

Hi,

just for information, I got an A+ for my ZendTo installation at 
https://www.ssllabs.com/ssltest/index.html with this settings in my ssl.conf

   #/etc/httpd/conf.d/ssl.conf
   SSLProtocol all -SSLv2 -SSLv3
   SSLHonorCipherOrder on
   SSLCipherSuite 
ALL:!RC4:!MD5:!ADH:!EXP:!SSLv2:!LOW:!IDEA:RSA:+HIGH:+MEDIUM

This will disable nearly all weak cipher suites, only the ones needed 
for older Internet Explorers (IE8 on XP) will be in.
Maybe change this next year? To verify your ?SSLCipherSuite? string you 
can use the following command:

   #> openssl ciphers -v 
'ALL:!RC4:!MD5:!ADH:!EXP:!SSLv2:!LOW:!IDEA:RSA:+HIGH:+MEDIUM'

It will print out a list of all ciphers that the above line allows in 
the order specified!


I also enabled HSTS with this setting in ssl.conf (29376000 = 350 days)

   #/etc/httpd/conf.d/ssl.conf
   # enable HSTS (client will automatically choose https in the future 
if once connected via https
   <IfModule headers_module>
           Header always set Strict-Transport-Security "max-age=29376000"
   </IfModule>

Kind regards and @Jules thanks again for the good work and all other 
contributors.

PCFreak



On 03.03.2016 00:37, Kevin Miller wrote:
>> P.S. Sorry I haven't done an update in *ages*. 2 questions:
>> (1) What other outstanding bugs/patches are there?, and
>> (2) Is it worth me re-writing the areyouahuman CAPTCHA
>> code for their new one, or is everyone happy with the Google
>> one (reCAPTCHA) that is there already?
> Not sure about bug patches in zendto, but of late there are some significant issues regarding web server security, if you'll indulge a bit of slightly off-topic traffic.
>
> A new attack makes all servers running SSLv2 vulnerable.
> Info on the latest attack can be had here:
>    https://drownattack.com/
>    http://blog.cryptographyengineering.com/2016/03/attack-of-week-drown.html
> Note that the attack works even if SSLv2 is "soft disabled" by disabling all SSLv2 ciphers.
>
> To check for other vulnerabilities, run the tests at :
>    https://www.ssllabs.com/ssltest/index.html
>
> For fixes, see:
>    http://blog.rlove.org/2013/12/strong-ssl-crypto.html
>
> Regarding AreYouAHuman, I just rolled back to reCaptcha.  Options are nice, but the reCaptcha isn't nearly as odious as it was in the past.
>
> ...Kevin
> --
> Kevin Miller
> Network/email Administrator, CBJ MIS Dept.
> 155 South Seward Street
> Juneau, Alaska 99801
> Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto


From mailinglists at pcfreak.de  Thu Mar  3 07:19:57 2016
From: mailinglists at pcfreak.de (Der PCFreak)
Date: Thu, 3 Mar 2016 08:19:57 +0100
Subject: [ZendTo] XSS
In-Reply-To: <56D71DB2.3070103@Zend.To>
References: <CAPgmoWbKJhuO28MxfTko_d3AfipunRC7d45N-sZ30Vmo6hssdQ@mail.gmail.com>
	<56D6E621.3040507@pcfreak.de>
	<a9b2f059d6424b84b0a3afa5fc891203@MBX03B-IAD3.mex08.mlsrvr.com>
	<56D71DB2.3070103@Zend.To>
Message-ID: <56D7E59D.6070200@pcfreak.de>

Hi Jules,

thanks for the quick fix in pickup.php

But there seem to be still some problems in pickup.php concerning the 
'auth' parameter:

Reflected Cross-Site Scripting
------------------------------
pickup.php
The auth parameter was submitted with the value 
"--><script>prompt(12345)</script>1t58l<!--, and the string was echoed 
verbatim in the output, showing that there is a reflected XSS vulnerability.

pickup.php
The auth parameter was submitted with the value 
"--><script>prompt(12345)</script>KBY7h<!--, and the string was echoed 
verbatim in the output, showing that there is a reflected XSS vulnerability.

HTML Injection
--------------
pickup.php
The auth parameter was submitted with the value <h1>hsusx</h1>, and this 
value was echoed back verbatim in the resulting page.

pickup.php
The auth parameter was submitted with the value <h1>8pamj</h1>, and this 
value was echoed back verbatim in the resulting page.


Also an additional problem was found that might be easy to fix:

Autocomplete Enabled on Password Field
--------------------------------------
index.php?action=login
Enabling autocomplete on a password field could allow the browser to 
store a user's password in plain text and show it to anyone using the 
same computer.
Add 'autocomplete=off' to every password field or login form on the site.


There are some more minor problems, too!

The fix from yesterday for pickup.php only fixed

2 Refelected Cross-Site Scripting
2 HTMLInjection

vulnerabilities.

Jules, I could send you the entire report via private mail if you want 
to take a look at it and keep it confidential.

And please correct me, if I am wrong with the above!

Kind regards and thanks for your work

PCFreak




On 02.03.2016 18:06, Jules wrote:
> Hi guys!
>
> Sorry about this one. The fault isn't actually in that line, it's just 
> below it where it says this:
>
>     if ( isset($recipEmail) && ! 
> preg_match($theDropbox->validEmailRegexp(),$recipEmail) ) {
>       $emailAddr = 'INVALID';
>     }
>
> Those 2 "$recipEmail" should of course both be "$emailAddr".
>
> I did carefully check the email address was valid, but put in the 
> wrong variable name to check. :-(
> My bad.
>
> That should fix it. No need to restart httpd or anything, just save 
> the file and reload the page.
>
> Cheers,
> Jules.
>
> P.S. Sorry I haven't done an update in *ages*. 2 questions: (1) What 
> other outstanding bugs/patches are there?, and (2) Is it worth me 
> re-writing the areyouahuman CAPTCHA code for their new one, or is 
> everyone happy with the Google one (reCAPTCHA) that is there already?
>
> On 02/03/2016 15:28, Karl Bundy wrote:
>>
>> Hi everyone,
>>
>> It appears that the issue is due to the fact that the email 
>> querystring variable is not being sanitized before being used.  I am 
>> not a skilled programmer, but I was able to make this simple change 
>> to the pickup.php file and it appears to have resolved this XSS 
>> issue.  Please use this at your own risk, as it appears to work for 
>> me, but your mileage may vary ;)
>>
>> In the pickup.php file change this line:
>>
>> $emailAddr = 
>> isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL);
>>
>> to this:
>>
>> $emailAddr = 
>> str_replace('"','',isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL));
>>
>> Save the file, and then test again.
>>
>> ---Karl Bundy
>>
>> *From:*zendto-bounces at zend.to [mailto:zendto-bounces at zend.to] *On 
>> Behalf Of *Der PCFreak
>> *Sent:* Wednesday, March 02, 2016 6:10 AM
>> *To:* zendto at zend.to
>> *Subject:* Re: [ZendTo] XSS
>>
>> Hi,
>>
>> Barracuda offers their "Barracuda Vulnerability Manager" for free at 
>> the moment and I tested it.
>> https://bvm.barracudanetworks.com/
>>
>>
>> Here some of the results pointed at my ZendTo installation:
>>
>>
>> Reflected Cross-Site Scripting
>> ==============================
>> https://your.url.tld/pickup.php
>> Issue Detail
>> The emailAddr parameter was submitted with the value 
>> "--><script>prompt(12345)</script>lNYCi<!--, and the string was 
>> echoed verbatim in the output, showing that there is a reflected XSS 
>> vulnerability.
>>
>> https://your.url.tld/pickup.php
>> Issue Detail
>> The auth parameter was submitted with the value 
>> "--><script>prompt(12345)</script>HyNzQ<!--, and the string was 
>> echoed verbatim in the output, showing that there is a reflected XSS 
>> vulnerability.
>>
>> https://your.url.tld/pickup.php
>> Issue Detail
>> The emailAddr parameter was submitted with the value 
>> "--><script>prompt(12345)</script>x7RXs<!--, and the string was 
>> echoed verbatim in the output, showing that there is a reflected XSS 
>> vulnerability.
>>
>> https://your.url.tld/pickup.php
>> Issue Detail
>> The auth parameter was submitted with the value 
>> "--><script>prompt(12345)</script>WqYcq<!--, and the string was 
>> echoed verbatim in the output, showing that there is a reflected XSS 
>> vulnerability.
>>
>> HTML-Injection
>> ==============
>> https://your.url.tld/pickup.php
>> Issue Detail
>> The emailAddr parameter was submitted with the value <h1>tjkgr</h1>, 
>> and this value was echoed back verbatim in the resulting page.
>>
>> https://your.url.tld/pickup.php
>> Issue Detail
>> The auth parameter was submitted with the value <h1>xt90x</h1>, and 
>> this value was echoed back verbatim in the resulting page.
>>
>> https://your.url.tld/pickup.php
>> Issue Detail
>> The emailAddr parameter was submitted with the value <h1>zrjja</h1>, 
>> and this value was echoed back verbatim in the resulting page.
>> View Full HTTP Request and Response
>>
>> https://your.url.tld/pickup.php
>> Issue Detail
>> The auth parameter was submitted with the value <h1>anhxx</h1>, and 
>> this value was echoed back verbatim in the resulting page.
>>
>> Kind regards
>>
>> PCFreak
>>
>>
>>
>>
>> On 01.03.2016 20:14, Chris Venter wrote:
>>
>>     Hi
>>
>>     Our security audit has highlighted a possible reflected cross
>>     site scripting error on the pickup.php page,to test we ran
>>
>>     https://server_name/pickup/php?emailAddr=test"
>>     /><script>alert('XSS Test')</script>
>>
>>     Can anyone else confirm if this is an issue?
>>
>>     Thanks
>>
>>     CJ
>>
>>
>>
>>
>>     _______________________________________________
>>
>>     ZendTo mailing list
>>
>>     ZendTo at zend.to <mailto:ZendTo at zend.to>
>>
>>     http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>>
>>
>>
>> _______________________________________________
>> ZendTo mailing list
>> ZendTo at zend.to
>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>>
>> Jules
>>
>> -- 
>> Julian Field MEng MBCS CITP CEng
>>
>>
>> www.Zend.To
>> Twitter: @JulesFM
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20160303/972facf3/attachment-0001.html 

From mailinglists at pcfreak.de  Thu Mar  3 09:16:22 2016
From: mailinglists at pcfreak.de (Der PCFreak)
Date: Thu, 3 Mar 2016 10:16:22 +0100
Subject: [ZendTo] XSS
In-Reply-To: <56D7E59D.6070200@pcfreak.de>
References: <CAPgmoWbKJhuO28MxfTko_d3AfipunRC7d45N-sZ30Vmo6hssdQ@mail.gmail.com>
	<56D6E621.3040507@pcfreak.de>
	<a9b2f059d6424b84b0a3afa5fc891203@MBX03B-IAD3.mex08.mlsrvr.com>
	<56D71DB2.3070103@Zend.To> <56D7E59D.6070200@pcfreak.de>
Message-ID: <56D800E6.4000600@pcfreak.de>

Hi,

the following patch in /opt/zendto/templates/login.tpl mitigates the 
minor problem of password autocompletion through login.php:

<       <td><input type="password" id="passwordField" name="password" 
size="15" value=""/></td>
---
 >       <!-- <td><input type="password" id="passwordField" 
name="password" size="15" value=""/></td> -->
 >       <td><input type="password" id="passwordField" name="password" 
size="15" value=""autocomplete="off"/></td>

Greets

PCFreak

On 03.03.2016 08:19, Der PCFreak wrote:
> Hi Jules,
>
> thanks for the quick fix in pickup.php
>
> But there seem to be still some problems in pickup.php concerning the 
> 'auth' parameter:
>
> Reflected Cross-Site Scripting
> ------------------------------
> pickup.php
> The auth parameter was submitted with the value 
> "--><script>prompt(12345)</script>1t58l<!--, and the string was echoed 
> verbatim in the output, showing that there is a reflected XSS 
> vulnerability.
>
> pickup.php
> The auth parameter was submitted with the value 
> "--><script>prompt(12345)</script>KBY7h<!--, and the string was echoed 
> verbatim in the output, showing that there is a reflected XSS 
> vulnerability.
>
> HTML Injection
> --------------
> pickup.php
> The auth parameter was submitted with the value <h1>hsusx</h1>, and 
> this value was echoed back verbatim in the resulting page.
>
> pickup.php
> The auth parameter was submitted with the value <h1>8pamj</h1>, and 
> this value was echoed back verbatim in the resulting page.
>
>
> Also an additional problem was found that might be easy to fix:
>
> Autocomplete Enabled on Password Field
> --------------------------------------
> index.php?action=login
> Enabling autocomplete on a password field could allow the browser to 
> store a user's password in plain text and show it to anyone using the 
> same computer.
> Add 'autocomplete=off' to every password field or login form on the site.
>
>
> There are some more minor problems, too!
>
> The fix from yesterday for pickup.php only fixed
>
> 2 Refelected Cross-Site Scripting
> 2 HTMLInjection
>
> vulnerabilities.
>
> Jules, I could send you the entire report via private mail if you want 
> to take a look at it and keep it confidential.
>
> And please correct me, if I am wrong with the above!
>
> Kind regards and thanks for your work
>
> PCFreak
>
>
>
>
> On 02.03.2016 18:06, Jules wrote:
>> Hi guys!
>>
>> Sorry about this one. The fault isn't actually in that line, it's 
>> just below it where it says this:
>>
>>     if ( isset($recipEmail) && ! 
>> preg_match($theDropbox->validEmailRegexp(),$recipEmail) ) {
>>       $emailAddr = 'INVALID';
>>     }
>>
>> Those 2 "$recipEmail" should of course both be "$emailAddr".
>>
>> I did carefully check the email address was valid, but put in the 
>> wrong variable name to check. :-(
>> My bad.
>>
>> That should fix it. No need to restart httpd or anything, just save 
>> the file and reload the page.
>>
>> Cheers,
>> Jules.
>>
>> P.S. Sorry I haven't done an update in *ages*. 2 questions: (1) What 
>> other outstanding bugs/patches are there?, and (2) Is it worth me 
>> re-writing the areyouahuman CAPTCHA code for their new one, or is 
>> everyone happy with the Google one (reCAPTCHA) that is there already?
>>
>> On 02/03/2016 15:28, Karl Bundy wrote:
>>>
>>> Hi everyone,
>>>
>>> It appears that the issue is due to the fact that the email 
>>> querystring variable is not being sanitized before being used.  I am 
>>> not a skilled programmer, but I was able to make this simple change 
>>> to the pickup.php file and it appears to have resolved this XSS 
>>> issue.  Please use this at your own risk, as it appears to work for 
>>> me, but your mileage may vary ;)
>>>
>>> In the pickup.php file change this line:
>>>
>>> $emailAddr = 
>>> isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL);
>>>
>>> to this:
>>>
>>> $emailAddr = 
>>> str_replace('"','',isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL));
>>>
>>> Save the file, and then test again.
>>>
>>> ---Karl Bundy
>>>
>>> *From:*zendto-bounces at zend.to [mailto:zendto-bounces at zend.to] *On 
>>> Behalf Of *Der PCFreak
>>> *Sent:* Wednesday, March 02, 2016 6:10 AM
>>> *To:* zendto at zend.to
>>> *Subject:* Re: [ZendTo] XSS
>>>
>>> Hi,
>>>
>>> Barracuda offers their "Barracuda Vulnerability Manager" for free at 
>>> the moment and I tested it.
>>> https://bvm.barracudanetworks.com/
>>>
>>>
>>> Here some of the results pointed at my ZendTo installation:
>>>
>>>
>>> Reflected Cross-Site Scripting
>>> ==============================
>>> https://your.url.tld/pickup.php
>>> Issue Detail
>>> The emailAddr parameter was submitted with the value 
>>> "--><script>prompt(12345)</script>lNYCi<!--, and the string was 
>>> echoed verbatim in the output, showing that there is a reflected XSS 
>>> vulnerability.
>>>
>>> https://your.url.tld/pickup.php
>>> Issue Detail
>>> The auth parameter was submitted with the value 
>>> "--><script>prompt(12345)</script>HyNzQ<!--, and the string was 
>>> echoed verbatim in the output, showing that there is a reflected XSS 
>>> vulnerability.
>>>
>>> https://your.url.tld/pickup.php
>>> Issue Detail
>>> The emailAddr parameter was submitted with the value 
>>> "--><script>prompt(12345)</script>x7RXs<!--, and the string was 
>>> echoed verbatim in the output, showing that there is a reflected XSS 
>>> vulnerability.
>>>
>>> https://your.url.tld/pickup.php
>>> Issue Detail
>>> The auth parameter was submitted with the value 
>>> "--><script>prompt(12345)</script>WqYcq<!--, and the string was 
>>> echoed verbatim in the output, showing that there is a reflected XSS 
>>> vulnerability.
>>>
>>> HTML-Injection
>>> ==============
>>> https://your.url.tld/pickup.php
>>> Issue Detail
>>> The emailAddr parameter was submitted with the value <h1>tjkgr</h1>, 
>>> and this value was echoed back verbatim in the resulting page.
>>>
>>> https://your.url.tld/pickup.php
>>> Issue Detail
>>> The auth parameter was submitted with the value <h1>xt90x</h1>, and 
>>> this value was echoed back verbatim in the resulting page.
>>>
>>> https://your.url.tld/pickup.php
>>> Issue Detail
>>> The emailAddr parameter was submitted with the value <h1>zrjja</h1>, 
>>> and this value was echoed back verbatim in the resulting page.
>>> View Full HTTP Request and Response
>>>
>>> https://your.url.tld/pickup.php
>>> Issue Detail
>>> The auth parameter was submitted with the value <h1>anhxx</h1>, and 
>>> this value was echoed back verbatim in the resulting page.
>>>
>>> Kind regards
>>>
>>> PCFreak
>>>
>>>
>>>
>>>
>>> On 01.03.2016 20:14, Chris Venter wrote:
>>>
>>>     Hi
>>>
>>>     Our security audit has highlighted a possible reflected cross
>>>     site scripting error on the pickup.php page,to test we ran
>>>
>>>     https://server_name/pickup/php?emailAddr=test"
>>>     /><script>alert('XSS Test')</script>
>>>
>>>     Can anyone else confirm if this is an issue?
>>>
>>>     Thanks
>>>
>>>     CJ
>>>
>>>
>>>
>>>
>>>     _______________________________________________
>>>
>>>     ZendTo mailing list
>>>
>>>     ZendTo at zend.to <mailto:ZendTo at zend.to>
>>>
>>>     http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>>>
>>>
>>>
>>> _______________________________________________
>>> ZendTo mailing list
>>> ZendTo at zend.to
>>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>>>
>>> Jules
>>>
>>> -- 
>>> Julian Field MEng MBCS CITP CEng
>>>
>>>
>>> www.Zend.To
>>> Twitter: @JulesFM
>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>
>>
>> _______________________________________________
>> ZendTo mailing list
>> ZendTo at zend.to
>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20160303/1e52d7ca/attachment-0001.html 

From eythort at menandmice.com  Thu Mar  3 09:33:20 2016
From: eythort at menandmice.com (Eythor G. Thorsteinsson)
Date: Thu, 3 Mar 2016 09:33:20 +0000
Subject: [ZendTo] XSS
In-Reply-To: <56D800E6.4000600@pcfreak.de>
References: <CAPgmoWbKJhuO28MxfTko_d3AfipunRC7d45N-sZ30Vmo6hssdQ@mail.gmail.com>
	<56D6E621.3040507@pcfreak.de>
	<a9b2f059d6424b84b0a3afa5fc891203@MBX03B-IAD3.mex08.mlsrvr.com>
	<56D71DB2.3070103@Zend.To> <56D7E59D.6070200@pcfreak.de>
	<56D800E6.4000600@pcfreak.de>
Message-ID: <334E32F2-6D1F-4776-BDEF-F9E0C0D174C7@menandmice.com>

Hi,

the autocomplete="off" is actually ignored by most if not all modern browsers on password fields.

See for instance the last paragraph here: https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion

--Eythor

On 03 Mar 2016, at 09:16, Der PCFreak <mailinglists at pcfreak.de<mailto:mailinglists at pcfreak.de>> wrote:

Hi,

the following patch in /opt/zendto/templates/login.tpl mitigates the minor problem of password autocompletion through login.php:

<       <td><input type="password" id="passwordField" name="password" size="15" value=""/></td>
---
>       <!-- <td><input type="password" id="passwordField" name="password" size="15" value=""/></td> -->
>       <td><input type="password" id="passwordField" name="password" size="15" value="" autocomplete="off"/></td>

Greets

PCFreak

On 03.03.2016 08:19, Der PCFreak wrote:
Hi Jules,

thanks for the quick fix in pickup.php

But there seem to be still some problems in pickup.php concerning the 'auth' parameter:

Reflected Cross-Site Scripting
------------------------------
pickup.php
The auth parameter was submitted with the value "--><script>prompt(12345)</script>1t58l<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.

pickup.php
The auth parameter was submitted with the value "--><script>prompt(12345)</script>KBY7h<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.

HTML Injection
--------------
pickup.php
The auth parameter was submitted with the value <h1>hsusx</h1>, and this value was echoed back verbatim in the resulting page.

pickup.php
The auth parameter was submitted with the value <h1>8pamj</h1>, and this value was echoed back verbatim in the resulting page.


Also an additional problem was found that might be easy to fix:

Autocomplete Enabled on Password Field
--------------------------------------
index.php?action=login
Enabling autocomplete on a password field could allow the browser to store a user's password in plain text and show it to anyone using the same computer.
Add 'autocomplete=off' to every password field or login form on the site.


There are some more minor problems, too!

The fix from yesterday for pickup.php only fixed

2 Refelected Cross-Site Scripting
2 HTML Injection

vulnerabilities.

Jules, I could send you the entire report via private mail if you want to take a look at it and keep it confidential.

And please correct me, if I am wrong with the above!

Kind regards and thanks for your work

PCFreak




On 02.03.2016 18:06, Jules wrote:
Hi guys!

Sorry about this one. The fault isn't actually in that line, it's just below it where it says this:

    if ( isset($recipEmail) && ! preg_match($theDropbox->validEmailRegexp(),$recipEmail) ) {
      $emailAddr = 'INVALID';
    }

Those 2 "$recipEmail" should of course both be "$emailAddr".

I did carefully check the email address was valid, but put in the wrong variable name to check. :-(
My bad.

That should fix it. No need to restart httpd or anything, just save the file and reload the page.

Cheers,
Jules.

P.S. Sorry I haven't done an update in *ages*. 2 questions: (1) What other outstanding bugs/patches are there?, and (2) Is it worth me re-writing the areyouahuman CAPTCHA code for their new one, or is everyone happy with the Google one (reCAPTCHA) that is there already?

On 02/03/2016 15:28, Karl Bundy wrote:
Hi everyone,

It appears that the issue is due to the fact that the email querystring variable is not being sanitized before being used.  I am not a skilled programmer, but I was able to make this simple change to the pickup.php file and it appears to have resolved this XSS issue.  Please use this at your own risk, as it appears to work for me, but your mileage may vary ;)

In the pickup.php file change this line:

$emailAddr = isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL);

to this:

$emailAddr = str_replace('"','',isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL));


Save the file, and then test again.


---Karl Bundy

From: zendto-bounces at zend.to<mailto:zendto-bounces at zend.to> [mailto:zendto-bounces at zend.to] On Behalf Of Der PCFreak
Sent: Wednesday, March 02, 2016 6:10 AM
To: zendto at zend.to<mailto:zendto at zend.to>
Subject: Re: [ZendTo] XSS

Hi,

Barracuda offers their "Barracuda Vulnerability Manager" for free at the moment and I tested it.
https://bvm.barracudanetworks.com/


Here some of the results pointed at my ZendTo installation:


Reflected Cross-Site Scripting
==============================
https://your.url.tld/pickup.php
Issue Detail
The emailAddr parameter was submitted with the value "--><script>prompt(12345)</script>lNYCi<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.

https://your.url.tld/pickup.php
Issue Detail
The auth parameter was submitted with the value "--><script>prompt(12345)</script>HyNzQ<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.

https://your.url.tld/pickup.php
Issue Detail
The emailAddr parameter was submitted with the value "--><script>prompt(12345)</script>x7RXs<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.

https://your.url.tld/pickup.php
Issue Detail
The auth parameter was submitted with the value "--><script>prompt(12345)</script>WqYcq<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.

HTML-Injection
==============
https://your.url.tld/pickup.php
Issue Detail
The emailAddr parameter was submitted with the value <h1>tjkgr</h1>, and this value was echoed back verbatim in the resulting page.

https://your.url.tld/pickup.php
Issue Detail
The auth parameter was submitted with the value <h1>xt90x</h1>, and this value was echoed back verbatim in the resulting page.

https://your.url.tld/pickup.php
Issue Detail
The emailAddr parameter was submitted with the value <h1>zrjja</h1>, and this value was echoed back verbatim in the resulting page.
View Full HTTP Request and Response

https://your.url.tld/pickup.php
Issue Detail
The auth parameter was submitted with the value <h1>anhxx</h1>, and this value was echoed back verbatim in the resulting page.

Kind regards

PCFreak




On 01.03.2016 20:14, Chris Venter wrote:
Hi
Our security audit has highlighted a possible reflected cross site scripting error on the pickup.php page,to test we ran

https://server_name/pickup/php?emailAddr=test" /><script>alert('XSS Test')</script>

Can anyone else confirm if this is an issue?
Thanks
CJ




_______________________________________________

ZendTo mailing list

ZendTo at zend.to<mailto:ZendTo at zend.to>

http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto





_______________________________________________
ZendTo mailing list
ZendTo at zend.to<mailto:ZendTo at zend.to>
http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto


Jules

--
Julian Field MEng MBCS CITP CEng


www.Zend.To<http://www.zend.to/>
Twitter: @JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654




_______________________________________________
ZendTo mailing list
ZendTo at zend.to<mailto:ZendTo at zend.to>
http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto


_______________________________________________
ZendTo mailing list
ZendTo at zend.to<mailto:ZendTo at zend.to>
http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20160303/54660a2d/attachment-0001.html 

From spork at bway.net  Thu Mar  3 19:09:01 2016
From: spork at bway.net (Charles Sprickman)
Date: Thu, 3 Mar 2016 14:09:01 -0500
Subject: [ZendTo] XSS
In-Reply-To: <334E32F2-6D1F-4776-BDEF-F9E0C0D174C7@menandmice.com>
References: <CAPgmoWbKJhuO28MxfTko_d3AfipunRC7d45N-sZ30Vmo6hssdQ@mail.gmail.com>
	<56D6E621.3040507@pcfreak.de>
	<a9b2f059d6424b84b0a3afa5fc891203@MBX03B-IAD3.mex08.mlsrvr.com>
	<56D71DB2.3070103@Zend.To> <56D7E59D.6070200@pcfreak.de>
	<56D800E6.4000600@pcfreak.de>
	<334E32F2-6D1F-4776-BDEF-F9E0C0D174C7@menandmice.com>
Message-ID: <7E8954B0-957B-431F-BA95-E2CE540151C2@bway.net>



> On Mar 3, 2016, at 4:33 AM, Eythor G. Thorsteinsson <eythort at menandmice.com> wrote:
> 
> Hi,
> 
> the autocomplete="off" is actually ignored by most if not all modern browsers on password fields. 
> 
> See for instance the last paragraph here: https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion <https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion>
It?s also a terrible idea.  People with password managers are more likely to have a complex password.  ?Punishing? them by trying to disable saving the password is a terrible idea.

Charles

> 
> --Eythor
> 
>> On 03 Mar 2016, at 09:16, Der PCFreak <mailinglists at pcfreak.de <mailto:mailinglists at pcfreak.de>> wrote:
>> 
>> Hi,
>> 
>> the following patch in /opt/zendto/templates/login.tpl mitigates the minor problem of password autocompletion through login.php:
>> 
>> <       <td><input type="password" id="passwordField" name="password" size="15" value=""/></td>
>> ---
>> >       <!-- <td><input type="password" id="passwordField" name="password" size="15" value=""/></td> -->
>> >       <td><input type="password" id="passwordField" name="password" size="15" value="" autocomplete="off"/></td>
>> 
>> Greets
>> 
>> PCFreak
>> 
>> On 03.03.2016 08:19, Der PCFreak wrote:
>>> Hi Jules,
>>> 
>>> thanks for the quick fix in pickup.php
>>> 
>>> But there seem to be still some problems in pickup.php concerning the 'auth' parameter:
>>> 
>>> Reflected Cross-Site Scripting
>>> ------------------------------
>>> pickup.php
>>> The auth parameter was submitted with the value "--><script>prompt(12345)</script>1t58l<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.
>>> 
>>> pickup.php
>>> The auth parameter was submitted with the value "--><script>prompt(12345)</script>KBY7h<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.
>>> 
>>> HTML Injection
>>> --------------
>>> pickup.php
>>> The auth parameter was submitted with the value <h1>hsusx</h1>, and this value was echoed back verbatim in the resulting page.
>>> 
>>> pickup.php
>>> The auth parameter was submitted with the value <h1>8pamj</h1>, and this value was echoed back verbatim in the resulting page.
>>> 
>>> 
>>> Also an additional problem was found that might be easy to fix:
>>> 
>>> Autocomplete Enabled on Password Field
>>> --------------------------------------
>>> index.php?action=login
>>> Enabling autocomplete on a password field could allow the browser to store a user's password in plain text and show it to anyone using the same computer.
>>> Add 'autocomplete=off' to every password field or login form on the site.
>>> 
>>> 
>>> There are some more minor problems, too!
>>> 
>>> The fix from yesterday for pickup.php only fixed
>>> 
>>> 2 Refelected Cross-Site Scripting
>>> 2 HTML Injection
>>> 
>>> vulnerabilities.
>>> 
>>> Jules, I could send you the entire report via private mail if you want to take a look at it and keep it confidential.
>>> 
>>> And please correct me, if I am wrong with the above!
>>> 
>>> Kind regards and thanks for your work
>>> 
>>> PCFreak
>>> 
>>> 
>>> 
>>> 
>>> On 02.03.2016 18:06, Jules wrote:
>>>> Hi guys!
>>>> 
>>>> Sorry about this one. The fault isn't actually in that line, it's just below it where it says this:
>>>> 
>>>>     if ( isset($recipEmail) && ! preg_match($theDropbox->validEmailRegexp(),$recipEmail) ) {
>>>>       $emailAddr = 'INVALID';
>>>>     }
>>>> 
>>>> Those 2 "$recipEmail" should of course both be "$emailAddr".
>>>> 
>>>> I did carefully check the email address was valid, but put in the wrong variable name to check. :-(
>>>> My bad.
>>>> 
>>>> That should fix it. No need to restart httpd or anything, just save the file and reload the page.
>>>> 
>>>> Cheers,
>>>> Jules.
>>>> 
>>>> P.S. Sorry I haven't done an update in *ages*. 2 questions: (1) What other outstanding bugs/patches are there?, and (2) Is it worth me re-writing the areyouahuman CAPTCHA code for their new one, or is everyone happy with the Google one (reCAPTCHA) that is there already?
>>>> 
>>>> On 02/03/2016 15:28, Karl Bundy wrote:
>>>>> Hi everyone,
>>>>>  
>>>>> It appears that the issue is due to the fact that the email querystring variable is not being sanitized before being used.  I am not a skilled programmer, but I was able to make this simple change to the pickup.php file and it appears to have resolved this XSS issue.  Please use this at your own risk, as it appears to work for me, but your mileage may vary ;)
>>>>>  
>>>>> In the pickup.php file change this line:
>>>>>  
>>>>> $emailAddr = isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL);
>>>>>  
>>>>> to this:
>>>>>  
>>>>> $emailAddr = str_replace('"','',isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL));
>>>>>  
>>>>>  
>>>>> Save the file, and then test again.
>>>>>  
>>>>>  
>>>>> ---Karl Bundy
>>>>>  
>>>>> From: zendto-bounces at zend.to <mailto:zendto-bounces at zend.to> [mailto:zendto-bounces at zend.to <mailto:zendto-bounces at zend.to>] On Behalf Of Der PCFreak
>>>>> Sent: Wednesday, March 02, 2016 6:10 AM
>>>>> To: zendto at zend.to <mailto:zendto at zend.to>
>>>>> Subject: Re: [ZendTo] XSS
>>>>>  
>>>>> Hi,
>>>>> 
>>>>> Barracuda offers their "Barracuda Vulnerability Manager" for free at the moment and I tested it.
>>>>> https://bvm.barracudanetworks.com/ <https://bvm.barracudanetworks.com/>
>>>>> 
>>>>> 
>>>>> Here some of the results pointed at my ZendTo installation:
>>>>> 
>>>>> 
>>>>> Reflected Cross-Site Scripting
>>>>> ==============================
>>>>> https://your.url.tld/pickup.php <https://your.url.tld/pickup.php>
>>>>> Issue Detail
>>>>> The emailAddr parameter was submitted with the value "--><script>prompt(12345)</script>lNYCi<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.
>>>>> 
>>>>> https://your.url.tld/pickup.php <https://your.url.tld/pickup.php>
>>>>> Issue Detail
>>>>> The auth parameter was submitted with the value "--><script>prompt(12345)</script>HyNzQ<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.
>>>>> 
>>>>> https://your.url.tld/pickup.php <https://your.url.tld/pickup.php>
>>>>> Issue Detail
>>>>> The emailAddr parameter was submitted with the value "--><script>prompt(12345)</script>x7RXs<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.
>>>>> 
>>>>> https://your.url.tld/pickup.php <https://your.url.tld/pickup.php>
>>>>> Issue Detail
>>>>> The auth parameter was submitted with the value "--><script>prompt(12345)</script>WqYcq<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.
>>>>> 
>>>>> HTML-Injection
>>>>> ==============
>>>>> https://your.url.tld/pickup.php <https://your.url.tld/pickup.php>
>>>>> Issue Detail
>>>>> The emailAddr parameter was submitted with the value <h1>tjkgr</h1>, and this value was echoed back verbatim in the resulting page.
>>>>> 
>>>>> https://your.url.tld/pickup.php <https://your.url.tld/pickup.php>
>>>>> Issue Detail
>>>>> The auth parameter was submitted with the value <h1>xt90x</h1>, and this value was echoed back verbatim in the resulting page.
>>>>> 
>>>>> https://your.url.tld/pickup.php <https://your.url.tld/pickup.php>
>>>>> Issue Detail
>>>>> The emailAddr parameter was submitted with the value <h1>zrjja</h1>, and this value was echoed back verbatim in the resulting page.
>>>>> View Full HTTP Request and Response
>>>>> 
>>>>> https://your.url.tld/pickup.php <https://your.url.tld/pickup.php>
>>>>> Issue Detail
>>>>> The auth parameter was submitted with the value <h1>anhxx</h1>, and this value was echoed back verbatim in the resulting page.
>>>>> 
>>>>> Kind regards
>>>>> 
>>>>> PCFreak
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> On 01.03.2016 20:14, Chris Venter wrote:
>>>>> Hi 
>>>>> 
>>>>> Our security audit has highlighted a possible reflected cross site scripting error on the pickup.php page,to test we ran 
>>>>> 
>>>>> https://server_name/pickup/php?emailAddr=test <https://server_name/pickup/php?emailAddr=test>" /><script>alert('XSS Test')</script>
>>>>>  
>>>>> Can anyone else confirm if this is an issue?
>>>>> 
>>>>> Thanks
>>>>> CJ
>>>>> 
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> ZendTo mailing list
>>>>> ZendTo at zend.to <mailto:ZendTo at zend.to>
>>>>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto <http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto>
>>>>>  
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> ZendTo mailing list
>>>>> ZendTo at zend.to <mailto:ZendTo at zend.to>
>>>>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto <http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto>
>>>>> Jules
>>>>> 
>>>>> -- 
>>>>> Julian Field MEng MBCS CITP CEng
>>>>> 
>>>>> 
>>>>> www.Zend.To <http://www.zend.to/>
>>>>> Twitter: @JulesFM
>>>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>> 
>>>> 
>>>> _______________________________________________
>>>> ZendTo mailing list
>>>> ZendTo at zend.to <mailto:ZendTo at zend.to>
>>>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto <http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto>
>> 
>> _______________________________________________
>> ZendTo mailing list
>> ZendTo at zend.to <mailto:ZendTo at zend.to>
>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto <http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20160303/33a70157/attachment-0001.html 

From mailinglists at pcfreak.de  Fri Mar  4 06:33:06 2016
From: mailinglists at pcfreak.de (Der PCFreak)
Date: Fri, 4 Mar 2016 07:33:06 +0100
Subject: [ZendTo] XSS
In-Reply-To: <7E8954B0-957B-431F-BA95-E2CE540151C2@bway.net>
References: <CAPgmoWbKJhuO28MxfTko_d3AfipunRC7d45N-sZ30Vmo6hssdQ@mail.gmail.com>
	<56D6E621.3040507@pcfreak.de>
	<a9b2f059d6424b84b0a3afa5fc891203@MBX03B-IAD3.mex08.mlsrvr.com>
	<56D71DB2.3070103@Zend.To> <56D7E59D.6070200@pcfreak.de>
	<56D800E6.4000600@pcfreak.de>
	<334E32F2-6D1F-4776-BDEF-F9E0C0D174C7@menandmice.com>
	<7E8954B0-957B-431F-BA95-E2CE540151C2@bway.net>
Message-ID: <56D92C22.8010009@pcfreak.de>

On 03.03.2016 20:09, Charles Sprickman wrote:
> It?s also a terrible idea.  People with password managers are more 
> likely to have a complex password.  ?Punishing? them by trying to 
> disable saving the password is a terrible idea.

On the other hand, most password managers allow to override that. So 
best for all. Enable it within ZendTo to protect users that might use 
their ZendTo login in public places and
for those using password managers, the password manager will override.

Greets

PCFreak

From Brian.Novogradac at utoronto.ca  Mon Mar 28 13:10:56 2016
From: Brian.Novogradac at utoronto.ca (Brian Novogradac)
Date: Mon, 28 Mar 2016 12:10:56 +0000
Subject: [ZendTo] AD SSL issues
Message-ID: <796146345C18F14E8B9C4C5793409100011E543BDE@arborexmbx2.UTORARBOR.UTORAD.Utoronto.ca>

Hello,

I am having a tough time here hope someone could shed some light.  I have no problem using the application via AD unencrypted 389.  I go to activate using SSL protocol by changing 'authLDAPUseSSL1'           => true.

After a bunch of digging and troubleshooting the application is still trying to use port 389 instead of 636.

Any help appreciated

Brian Novogradac
System Analyst, Computing Services (I&ITS)

University of Toronto at Mississauga
3359 Mississauga Road N.
Mississauga, Ontario, L5L 1C6

(P) 416-435-2543
(F) 905-569-4343
(E) brian.novogradac at utoronto.ca<mailto:brian.novogradac at utoronto.ca>
(W) www.utm.utoronto.ca/iits<http://www.utm.utoronto.ca/iits>

This E-mail contains privileged and confidential information intended only for the individual or entity named in the message. If the reader of this message is not the intended recipient, or the agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited.  If this communication was received in error, please notify the sender by reply E-mail immediately, and delete and destroy the original message.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20160328/34fe75dd/attachment.html 

From jordack at yahoo.com  Mon Mar 28 20:46:49 2016
From: jordack at yahoo.com (Jordack)
Date: Mon, 28 Mar 2016 19:46:49 +0000 (UTC)
Subject: [ZendTo] AD SSL issues
In-Reply-To: <796146345C18F14E8B9C4C5793409100011E543BDE@arborexmbx2.UTORARBOR.UTORAD.Utoronto.ca>
References: <796146345C18F14E8B9C4C5793409100011E543BDE@arborexmbx2.UTORARBOR.UTORAD.Utoronto.ca>
Message-ID: <498732350.1251472.1459194409507.JavaMail.yahoo@mail.yahoo.com>

I'm not seeing that. ?Mine is connecting over 636.
Maybe its failing back to cleartext if SSL fails.
I know with every system I've setup LDAP on it requires setting the CACert in the ldap.conf file
/etc/openldap/ldap.conf
TLS_CACERT ? ? ?/etc/pki/tls/certs/TrustedRoot2015.pem

 

    On Monday, March 28, 2016 8:11 AM, Brian Novogradac <Brian.Novogradac at utoronto.ca> wrote:
 

  <!--#yiv6055996592 _filtered #yiv6055996592 {font-family:"Cambria Math";panose-1:2 4 5 3 5 4 6 3 2 4;} _filtered #yiv6055996592 {font-family:"Calibri Light";panose-1:2 15 3 2 2 2 4 3 2 4;} _filtered #yiv6055996592 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;}#yiv6055996592 #yiv6055996592 p.yiv6055996592MsoNormal, #yiv6055996592 li.yiv6055996592MsoNormal, #yiv6055996592 div.yiv6055996592MsoNormal {margin:0cm;margin-bottom:.0001pt;font-size:11.0pt;font-family:"Calibri", sans-serif;}#yiv6055996592 a:link, #yiv6055996592 span.yiv6055996592MsoHyperlink {color:#0563C1;text-decoration:underline;}#yiv6055996592 a:visited, #yiv6055996592 span.yiv6055996592MsoHyperlinkFollowed {color:#954F72;text-decoration:underline;}#yiv6055996592 span.yiv6055996592EmailStyle17 {font-family:"Calibri", sans-serif;color:windowtext;}#yiv6055996592 .yiv6055996592MsoChpDefault {font-family:"Calibri", sans-serif;} _filtered #yiv6055996592 {margin:72.0pt 72.0pt 72.0pt 72.0pt;}#yiv6055996592 div.yiv6055996592WordSection1 {}-->Hello,  ? I am having a tough time here hope someone could shed some light.? I have no problem using the application via AD unencrypted 389.? I go to activate using SSL protocol by changing 'authLDAPUseSSL1'?????????? => true.  ? After a bunch of digging and troubleshooting the application is still trying to use port 389 instead of 636.?  ? Any help appreciated  ? Brian Novogradac
System Analyst,?Computing Services (I&ITS)

University of Toronto at Mississauga
3359 Mississauga Road N.
Mississauga, Ontario, L5L 1C6

(P) 416-435-2543
(F) 905-569-4343
(E)?brian.novogradac at utoronto.ca (W)www.utm.utoronto.ca/iits

This E-mail contains privileged and confidential information intended only for the individual or entity named in the message. If the reader of this message is not the intended recipient, or the agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited. ?If this communication was received in error, please notify the sender by reply E-mail immediately, and delete and destroy the original message.  ? 
_______________________________________________
ZendTo mailing list
ZendTo at zend.to
http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20160328/15675007/attachment.html 

From Brian.Novogradac at utoronto.ca  Mon Mar 28 21:59:19 2016
From: Brian.Novogradac at utoronto.ca (Brian Novogradac)
Date: Mon, 28 Mar 2016 20:59:19 +0000
Subject: [ZendTo] AD SSL issues
In-Reply-To: <498732350.1251472.1459194409507.JavaMail.yahoo@mail.yahoo.com>
References: <796146345C18F14E8B9C4C5793409100011E543BDE@arborexmbx2.UTORARBOR.UTORAD.Utoronto.ca>
	<498732350.1251472.1459194409507.JavaMail.yahoo@mail.yahoo.com>
Message-ID: <796146345C18F14E8B9C4C5793409100011E545274@arborexmbx2.UTORARBOR.UTORAD.Utoronto.ca>

I know SSL works because I?ve tested connectivity on the server, I can connect and do a query no problems through ssl.  But when I ?activate? SSL on the app it still falls back to 389.  This is just for the app.

IS there maybe somewhere else within the app that is making that call to LDAPS/LDAP.




From: zendto-bounces at zend.to [mailto:zendto-bounces at zend.to] On Behalf Of Jordack
Sent: March-28-16 3:47 PM
To: ZendTo Users <zendto at zend.to>
Subject: Re: [ZendTo] AD SSL issues

I'm not seeing that.  Mine is connecting over 636.

Maybe its failing back to cleartext if SSL fails.

I know with every system I've setup LDAP on it requires setting the CACert in the ldap.conf file

/etc/openldap/ldap.conf

TLS_CACERT      /etc/pki/tls/certs/TrustedRoot2015.pem



On Monday, March 28, 2016 8:11 AM, Brian Novogradac <Brian.Novogradac at utoronto.ca<mailto:Brian.Novogradac at utoronto.ca>> wrote:

Hello,

I am having a tough time here hope someone could shed some light.  I have no problem using the application via AD unencrypted 389.  I go to activate using SSL protocol by changing 'authLDAPUseSSL1'           => true.

After a bunch of digging and troubleshooting the application is still trying to use port 389 instead of 636.

Any help appreciated

Brian Novogradac
System Analyst, Computing Services (I&ITS)

University of Toronto at Mississauga
3359 Mississauga Road N.
Mississauga, Ontario, L5L 1C6

(P) 416-435-2543
(F) 905-569-4343
(E) brian.novogradac at utoronto.ca<mailto:brian.novogradac at utoronto.ca>
(W) www.utm.utoronto.ca/iits<http://www.utm.utoronto.ca/iits>

This E-mail contains privileged and confidential information intended only for the individual or entity named in the message. If the reader of this message is not the intended recipient, or the agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited.  If this communication was received in error, please notify the sender by reply E-mail immediately, and delete and destroy the original message.


_______________________________________________
ZendTo mailing list
ZendTo at zend.to<mailto:ZendTo at zend.to>
http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20160328/8129ee7a/attachment-0001.html