[ZendTo] ZendTo Digest, Vol 68, Issue 3
Chris Venter
chris.venter1 at gmail.com
Wed Mar 2 16:27:41 GMT 2016
Hi All
Thanks for the help, I will try the fix and test again.
Thanks
C
On 2 March 2016 at 15:29, <zendto-request at zend.to> wrote:
> Send ZendTo mailing list submissions to
> zendto at zend.to
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
> or, via email, send a message with subject or body 'help' to
> zendto-request at zend.to
>
> You can reach the person managing the list at
> zendto-owner at zend.to
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of ZendTo digest..."
>
> Today's Topics:
>
> 1. Re: XSS (Der PCFreak)
> 2. Re: XSS (Karl Bundy)
> 3. Re: XSS (Karl Bundy)
>
>
> ---------- Forwarded message ----------
> From: Der PCFreak <mailinglists at pcfreak.de>
> To: zendto at zend.to
> Cc:
> Date: Wed, 2 Mar 2016 14:09:53 +0100
> Subject: Re: [ZendTo] XSS
> Hi,
>
> Barracuda offers their "Barracuda Vulnerability Manager" for free at the
> moment and I tested it.
> https://bvm.barracudanetworks.com/
>
>
> Here some of the results pointed at my ZendTo installation:
>
>
> Reflected Cross-Site Scripting
> ==============================
> https://your.url.tld/pickup.php
> Issue Detail
> The emailAddr parameter was submitted with the value
> "--><script>prompt(12345)</script>lNYCi<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS vulnerability.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The auth parameter was submitted with the value
> "--><script>prompt(12345)</script>HyNzQ<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS vulnerability.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The emailAddr parameter was submitted with the value
> "--><script>prompt(12345)</script>x7RXs<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS vulnerability.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The auth parameter was submitted with the value
> "--><script>prompt(12345)</script>WqYcq<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS vulnerability.
>
> HTML-Injection
> ==============
> https://your.url.tld/pickup.php
> Issue Detail
> The emailAddr parameter was submitted with the value <h1>tjkgr</h1>, and
> this value was echoed back verbatim in the resulting page.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The auth parameter was submitted with the value <h1>xt90x</h1>, and this
> value was echoed back verbatim in the resulting page.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The emailAddr parameter was submitted with the value <h1>zrjja</h1>, and
> this value was echoed back verbatim in the resulting page.
> View Full HTTP Request and Response
>
> https://your.url.tld/pickup.php
> Issue Detail
> The auth parameter was submitted with the value <h1>anhxx</h1>, and this
> value was echoed back verbatim in the resulting page.
>
> Kind regards
>
> PCFreak
>
>
>
>
>
> On 01.03.2016 20:14, Chris Venter wrote:
>
> Hi
>
> Our security audit has highlighted a possible reflected cross site
> scripting error on the pickup.php page,to test we ran
>
> https://server_name/pickup/php?emailAddr=test" /><script>alert('XSS
> Test')</script>
>
> Can anyone else confirm if this is an issue?
>
> Thanks
> CJ
>
>
> _______________________________________________
> ZendTo mailing listZendTo at zend.tohttp://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
>
>
>
> ---------- Forwarded message ----------
> From: Karl Bundy <karl.bundy at aldentorch.com>
> To: ZendTo Users <zendto at zend.to>
> Cc:
> Date: Wed, 2 Mar 2016 15:28:19 +0000
> Subject: Re: [ZendTo] XSS
>
> Hi everyone,
>
>
>
> It appears that the issue is due to the fact that the email querystring
> variable is not being sanitized before being used. I am not a skilled
> programmer, but I was able to make this simple change to the pickup.php
> file and it appears to have resolved this XSS issue. Please use this at
> your own risk, as it appears to work for me, but your mileage may vary ;)
>
>
>
> In the pickup.php file change this line:
>
>
>
> $emailAddr =
> isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL);
>
>
>
> to this:
>
>
>
> $emailAddr =
> str_replace('"','',isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL));
>
>
>
>
>
> Save the file, and then test again.
>
>
>
>
>
> ---Karl Bundy
>
>
>
> *From:* zendto-bounces at zend.to [mailto:zendto-bounces at zend.to] *On Behalf
> Of *Der PCFreak
> *Sent:* Wednesday, March 02, 2016 6:10 AM
> *To:* zendto at zend.to
> *Subject:* Re: [ZendTo] XSS
>
>
>
> Hi,
>
> Barracuda offers their "Barracuda Vulnerability Manager" for free at the
> moment and I tested it.
> https://bvm.barracudanetworks.com/
>
>
> Here some of the results pointed at my ZendTo installation:
>
>
> Reflected Cross-Site Scripting
> ==============================
> https://your.url.tld/pickup.php
> Issue Detail
> The emailAddr parameter was submitted with the value
> "--><script>prompt(12345)</script>lNYCi<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS vulnerability.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The auth parameter was submitted with the value
> "--><script>prompt(12345)</script>HyNzQ<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS vulnerability.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The emailAddr parameter was submitted with the value
> "--><script>prompt(12345)</script>x7RXs<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS vulnerability.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The auth parameter was submitted with the value
> "--><script>prompt(12345)</script>WqYcq<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS vulnerability.
>
> HTML-Injection
> ==============
> https://your.url.tld/pickup.php
> Issue Detail
> The emailAddr parameter was submitted with the value <h1>tjkgr</h1>, and
> this value was echoed back verbatim in the resulting page.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The auth parameter was submitted with the value <h1>xt90x</h1>, and this
> value was echoed back verbatim in the resulting page.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The emailAddr parameter was submitted with the value <h1>zrjja</h1>, and
> this value was echoed back verbatim in the resulting page.
> View Full HTTP Request and Response
>
> https://your.url.tld/pickup.php
> Issue Detail
> The auth parameter was submitted with the value <h1>anhxx</h1>, and this
> value was echoed back verbatim in the resulting page.
>
> Kind regards
>
> PCFreak
>
>
>
>
> On 01.03.2016 20:14, Chris Venter wrote:
>
> Hi
>
> Our security audit has highlighted a possible reflected cross site
> scripting error on the pickup.php page,to test we ran
>
> https://server_name/pickup/php?emailAddr=test" /><script>alert('XSS
> Test')</script>
>
>
>
> Can anyone else confirm if this is an issue?
>
> Thanks
>
> CJ
>
>
>
>
> _______________________________________________
>
> ZendTo mailing list
>
> ZendTo at zend.to
>
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
>
>
>
> ---------- Forwarded message ----------
> From: Karl Bundy <karl.bundy at aldentorch.com>
> To: ZendTo Users <zendto at zend.to>
> Cc:
> Date: Wed, 2 Mar 2016 15:29:32 +0000
> Subject: Re: [ZendTo] XSS
>
> I forgot to mention that this was based on the code for version 4.12
>
>
>
> --- Karl Bundy
>
>
>
> *From:* Karl Bundy
> *Sent:* Wednesday, March 02, 2016 8:28 AM
> *To:* zendto at zend.to
> *Subject:* RE: [ZendTo] XSS
>
>
>
> Hi everyone,
>
>
>
> It appears that the issue is due to the fact that the email querystring
> variable is not being sanitized before being used. I am not a skilled
> programmer, but I was able to make this simple change to the pickup.php
> file and it appears to have resolved this XSS issue. Please use this at
> your own risk, as it appears to work for me, but your mileage may vary ;)
>
>
>
> In the pickup.php file change this line:
>
>
>
> $emailAddr =
> isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL);
>
>
>
> to this:
>
>
>
> $emailAddr =
> str_replace('"','',isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL));
>
>
>
>
>
> Save the file, and then test again.
>
>
>
>
>
> ---Karl Bundy
>
>
>
> *From:* zendto-bounces at zend.to [mailto:zendto-bounces at zend.to
> <zendto-bounces at zend.to>] *On Behalf Of *Der PCFreak
> *Sent:* Wednesday, March 02, 2016 6:10 AM
> *To:* zendto at zend.to
> *Subject:* Re: [ZendTo] XSS
>
>
>
> Hi,
>
> Barracuda offers their "Barracuda Vulnerability Manager" for free at the
> moment and I tested it.
> https://bvm.barracudanetworks.com/
>
>
> Here some of the results pointed at my ZendTo installation:
>
>
> Reflected Cross-Site Scripting
> ==============================
> https://your.url.tld/pickup.php
> Issue Detail
> The emailAddr parameter was submitted with the value
> "--><script>prompt(12345)</script>lNYCi<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS vulnerability.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The auth parameter was submitted with the value
> "--><script>prompt(12345)</script>HyNzQ<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS vulnerability.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The emailAddr parameter was submitted with the value
> "--><script>prompt(12345)</script>x7RXs<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS vulnerability.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The auth parameter was submitted with the value
> "--><script>prompt(12345)</script>WqYcq<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS vulnerability.
>
> HTML-Injection
> ==============
> https://your.url.tld/pickup.php
> Issue Detail
> The emailAddr parameter was submitted with the value <h1>tjkgr</h1>, and
> this value was echoed back verbatim in the resulting page.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The auth parameter was submitted with the value <h1>xt90x</h1>, and this
> value was echoed back verbatim in the resulting page.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The emailAddr parameter was submitted with the value <h1>zrjja</h1>, and
> this value was echoed back verbatim in the resulting page.
> View Full HTTP Request and Response
>
> https://your.url.tld/pickup.php
> Issue Detail
> The auth parameter was submitted with the value <h1>anhxx</h1>, and this
> value was echoed back verbatim in the resulting page.
>
> Kind regards
>
> PCFreak
>
>
>
> On 01.03.2016 20:14, Chris Venter wrote:
>
> Hi
>
> Our security audit has highlighted a possible reflected cross site
> scripting error on the pickup.php page,to test we ran
>
> https://server_name/pickup/php?emailAddr=test" /><script>alert('XSS
> Test')</script>
>
>
>
> Can anyone else confirm if this is an issue?
>
> Thanks
>
> CJ
>
>
>
> _______________________________________________
>
> ZendTo mailing list
>
> ZendTo at zend.to
>
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20160302/24f9005c/attachment-0001.html
More information about the ZendTo
mailing list