[ZendTo] XSS
Jules
Jules at Zend.To
Wed Mar 2 17:06:58 GMT 2016
Hi guys!
Sorry about this one. The fault isn't actually in that line, it's just
below it where it says this:
if ( isset($recipEmail) && !
preg_match($theDropbox->validEmailRegexp(),$recipEmail) ) {
$emailAddr = 'INVALID';
}
Those 2 "$recipEmail" should of course both be "$emailAddr".
I did carefully check the email address was valid, but put in the wrong
variable name to check. :-(
My bad.
That should fix it. No need to restart httpd or anything, just save the
file and reload the page.
Cheers,
Jules.
P.S. Sorry I haven't done an update in *ages*. 2 questions: (1) What
other outstanding bugs/patches are there?, and (2) Is it worth me
re-writing the areyouahuman CAPTCHA code for their new one, or is
everyone happy with the Google one (reCAPTCHA) that is there already?
On 02/03/2016 15:28, Karl Bundy wrote:
>
> Hi everyone,
>
> It appears that the issue is due to the fact that the email
> querystring variable is not being sanitized before being used. I am
> not a skilled programmer, but I was able to make this simple change to
> the pickup.php file and it appears to have resolved this XSS issue.
> Please use this at your own risk, as it appears to work for me, but
> your mileage may vary ;)
>
> In the pickup.php file change this line:
>
> $emailAddr =
> isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL);
>
> to this:
>
> $emailAddr =
> str_replace('"','',isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL));
>
> Save the file, and then test again.
>
> ---Karl Bundy
>
> *From:*zendto-bounces at zend.to [mailto:zendto-bounces at zend.to] *On
> Behalf Of *Der PCFreak
> *Sent:* Wednesday, March 02, 2016 6:10 AM
> *To:* zendto at zend.to
> *Subject:* Re: [ZendTo] XSS
>
> Hi,
>
> Barracuda offers their "Barracuda Vulnerability Manager" for free at
> the moment and I tested it.
> https://bvm.barracudanetworks.com/
>
>
> Here some of the results pointed at my ZendTo installation:
>
>
> Reflected Cross-Site Scripting
> ==============================
> https://your.url.tld/pickup.php
> Issue Detail
> The emailAddr parameter was submitted with the value
> "--><script>prompt(12345)</script>lNYCi<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS
> vulnerability.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The auth parameter was submitted with the value
> "--><script>prompt(12345)</script>HyNzQ<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS
> vulnerability.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The emailAddr parameter was submitted with the value
> "--><script>prompt(12345)</script>x7RXs<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS
> vulnerability.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The auth parameter was submitted with the value
> "--><script>prompt(12345)</script>WqYcq<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS
> vulnerability.
>
> HTML-Injection
> ==============
> https://your.url.tld/pickup.php
> Issue Detail
> The emailAddr parameter was submitted with the value <h1>tjkgr</h1>,
> and this value was echoed back verbatim in the resulting page.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The auth parameter was submitted with the value <h1>xt90x</h1>, and
> this value was echoed back verbatim in the resulting page.
>
> https://your.url.tld/pickup.php
> Issue Detail
> The emailAddr parameter was submitted with the value <h1>zrjja</h1>,
> and this value was echoed back verbatim in the resulting page.
> View Full HTTP Request and Response
>
> https://your.url.tld/pickup.php
> Issue Detail
> The auth parameter was submitted with the value <h1>anhxx</h1>, and
> this value was echoed back verbatim in the resulting page.
>
> Kind regards
>
> PCFreak
>
>
>
>
> On 01.03.2016 20:14, Chris Venter wrote:
>
> Hi
>
> Our security audit has highlighted a possible reflected cross site
> scripting error on the pickup.php page,to test we ran
>
> https://server_name/pickup/php?emailAddr=test"
> /><script>alert('XSS Test')</script>
>
> Can anyone else confirm if this is an issue?
>
> Thanks
>
> CJ
>
>
>
>
> _______________________________________________
>
> ZendTo mailing list
>
> ZendTo at zend.to <mailto:ZendTo at zend.to>
>
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
> Jules
>
> --
> Julian Field MEng MBCS CITP CEng
>
>
> www.Zend.To
> Twitter: @JulesFM
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20160302/7be127a8/attachment.html
More information about the ZendTo
mailing list