[ZendTo] XSS

Karl Bundy karl.bundy at aldentorch.com
Wed Mar 2 15:29:32 GMT 2016


I forgot to mention that this was based on the code for version 4.12

--- Karl Bundy

From: Karl Bundy
Sent: Wednesday, March 02, 2016 8:28 AM
To: zendto at zend.to
Subject: RE: [ZendTo] XSS

Hi everyone,

It appears that the issue is due to the fact that the email querystring variable is not being sanitized before being used.  I am not a skilled programmer, but I was able to make this simple change to the pickup.php file and it appears to have resolved this XSS issue.  Please use this at your own risk, as it appears to work for me, but your mileage may vary ;)

In the pickup.php file change this line:

$emailAddr = isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL);

to this:

$emailAddr = str_replace('"','',isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL));


Save the file, and then test again.


---Karl Bundy

From: zendto-bounces at zend.to<mailto:zendto-bounces at zend.to> [mailto:zendto-bounces at zend.to] On Behalf Of Der PCFreak
Sent: Wednesday, March 02, 2016 6:10 AM
To: zendto at zend.to<mailto:zendto at zend.to>
Subject: Re: [ZendTo] XSS

Hi,

Barracuda offers their "Barracuda Vulnerability Manager" for free at the moment and I tested it.
https://bvm.barracudanetworks.com/


Here some of the results pointed at my ZendTo installation:


Reflected Cross-Site Scripting
==============================
https://your.url.tld/pickup.php
Issue Detail
The emailAddr parameter was submitted with the value "--><script>prompt(12345)</script>lNYCi<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.

https://your.url.tld/pickup.php
Issue Detail
The auth parameter was submitted with the value "--><script>prompt(12345)</script>HyNzQ<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.

https://your.url.tld/pickup.php
Issue Detail
The emailAddr parameter was submitted with the value "--><script>prompt(12345)</script>x7RXs<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.

https://your.url.tld/pickup.php
Issue Detail
The auth parameter was submitted with the value "--><script>prompt(12345)</script>WqYcq<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.

HTML-Injection
==============
https://your.url.tld/pickup.php
Issue Detail
The emailAddr parameter was submitted with the value <h1>tjkgr</h1>, and this value was echoed back verbatim in the resulting page.

https://your.url.tld/pickup.php
Issue Detail
The auth parameter was submitted with the value <h1>xt90x</h1>, and this value was echoed back verbatim in the resulting page.

https://your.url.tld/pickup.php
Issue Detail
The emailAddr parameter was submitted with the value <h1>zrjja</h1>, and this value was echoed back verbatim in the resulting page.
View Full HTTP Request and Response

https://your.url.tld/pickup.php
Issue Detail
The auth parameter was submitted with the value <h1>anhxx</h1>, and this value was echoed back verbatim in the resulting page.

Kind regards

PCFreak



On 01.03.2016 20:14, Chris Venter wrote:
Hi
Our security audit has highlighted a possible reflected cross site scripting error on the pickup.php page,to test we ran

https://server_name/pickup/php?emailAddr=test" /><script>alert('XSS Test')</script>

Can anyone else confirm if this is an issue?
Thanks
CJ



_______________________________________________

ZendTo mailing list

ZendTo at zend.to<mailto:ZendTo at zend.to>

http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20160302/79e4dd4d/attachment-0001.html 


More information about the ZendTo mailing list