[ZendTo] XSS
Karl Bundy
karl.bundy at aldentorch.com
Wed Mar 2 15:29:32 GMT 2016
I forgot to mention that this was based on the code for version 4.12
--- Karl Bundy
From: Karl Bundy
Sent: Wednesday, March 02, 2016 8:28 AM
To: zendto at zend.to
Subject: RE: [ZendTo] XSS
Hi everyone,
It appears that the issue is due to the fact that the email querystring variable is not being sanitized before being used. I am not a skilled programmer, but I was able to make this simple change to the pickup.php file and it appears to have resolved this XSS issue. Please use this at your own risk, as it appears to work for me, but your mileage may vary ;)
In the pickup.php file change this line:
$emailAddr = isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL);
to this:
$emailAddr = str_replace('"','',isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL));
Save the file, and then test again.
---Karl Bundy
From: zendto-bounces at zend.to<mailto:zendto-bounces at zend.to> [mailto:zendto-bounces at zend.to] On Behalf Of Der PCFreak
Sent: Wednesday, March 02, 2016 6:10 AM
To: zendto at zend.to<mailto:zendto at zend.to>
Subject: Re: [ZendTo] XSS
Hi,
Barracuda offers their "Barracuda Vulnerability Manager" for free at the moment and I tested it.
https://bvm.barracudanetworks.com/
Here some of the results pointed at my ZendTo installation:
Reflected Cross-Site Scripting
==============================
https://your.url.tld/pickup.php
Issue Detail
The emailAddr parameter was submitted with the value "--><script>prompt(12345)</script>lNYCi<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.
https://your.url.tld/pickup.php
Issue Detail
The auth parameter was submitted with the value "--><script>prompt(12345)</script>HyNzQ<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.
https://your.url.tld/pickup.php
Issue Detail
The emailAddr parameter was submitted with the value "--><script>prompt(12345)</script>x7RXs<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.
https://your.url.tld/pickup.php
Issue Detail
The auth parameter was submitted with the value "--><script>prompt(12345)</script>WqYcq<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.
HTML-Injection
==============
https://your.url.tld/pickup.php
Issue Detail
The emailAddr parameter was submitted with the value <h1>tjkgr</h1>, and this value was echoed back verbatim in the resulting page.
https://your.url.tld/pickup.php
Issue Detail
The auth parameter was submitted with the value <h1>xt90x</h1>, and this value was echoed back verbatim in the resulting page.
https://your.url.tld/pickup.php
Issue Detail
The emailAddr parameter was submitted with the value <h1>zrjja</h1>, and this value was echoed back verbatim in the resulting page.
View Full HTTP Request and Response
https://your.url.tld/pickup.php
Issue Detail
The auth parameter was submitted with the value <h1>anhxx</h1>, and this value was echoed back verbatim in the resulting page.
Kind regards
PCFreak
On 01.03.2016 20:14, Chris Venter wrote:
Hi
Our security audit has highlighted a possible reflected cross site scripting error on the pickup.php page,to test we ran
https://server_name/pickup/php?emailAddr=test" /><script>alert('XSS Test')</script>
Can anyone else confirm if this is an issue?
Thanks
CJ
_______________________________________________
ZendTo mailing list
ZendTo at zend.to<mailto:ZendTo at zend.to>
http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20160302/79e4dd4d/attachment-0001.html
More information about the ZendTo
mailing list