[ZendTo] XSS

Keith Erekson kbe2 at lehigh.edu
Wed Mar 2 18:16:02 GMT 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

4.12-5

On 03/02/2016 01:57 AM, Brian Pocock wrote:
> What version of Zend.to are you running? There is a known XSS in an earlier version of code.
>
> Brian Pocock - Consultant
> Nebulas
>
> On 1 Mar 2016, at 22:14, Keith Erekson <kbe2 at lehigh.edu
<mailto:kbe2 at lehigh.edu>> wrote:
>
>>
> Tested on Mac OS X 10.10, seems to work in Firefox (41 and 44), but
not Chrome (48) nor Safari (9).
>
> (pickup.php, not pickup/php for anyone who wants to try)
>
> ~Keith
>
> On 03/01/2016 02:14 PM, Chris Venter wrote:
> > Hi
>
>
>
>       > Our security audit has highlighted a possible reflected cross
>       site scripting error on the pickup.php page,to test we ran
>
>
>
>       > https://server_name/pickup/php?emailAddr=test"
>       /><script>alert('XSS Test')</script>
>
>
>
>       > Can anyone else confirm if this is an issue?
>
>
>
>       > Thanks
>
>       > CJ
>
>
>
>
>
>       > _______________________________________________
>
>       > ZendTo mailing list
>
>       > ZendTo at zend.to
>
>       > http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
>>
>> _______________________________________________
>> ZendTo mailing list
>> ZendTo at zend.to <mailto:ZendTo at zend.to>
>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
> *Company name:* Nebulas Solutions Group Ltd *Company Registration
Number:* 04281153 *Place of Registration:* England and Wales *Registered
Office Address:* 256 Waterloo Road, London, SE1 8RF
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJW1y3fAAoJEMdFVhhDm2SFEhIH/2P6RW7MOzcQuAeXvfZ0Nhi7
ibG4eWItPWFizpWVec8E4rJZI9BX/3dHmwKzwf5VKHSHASywr0q4kchBYaalseeH
OcFEjKf3AlPH1rPW9l3bRxCjVKl7C5dP3s8rJpWYHCAr3uhJnv9ddC0pGUfeXafG
ccbsIU3aJ7SbLM9E6zWX9rBXAFcSpgXjydEVyqGiZ1Atl5jpeyl38EsKZmi+81uZ
ddEey+LPyHeXjbCxa/BgwCW/2WOC7vy7G9wComED4O8uw+VExhG0jMxv8sqcGdzS
cT0pqClcXWTgcj293WFi/Ek6gxiHCHcR/N/TNF8w9eLLUcz2wJJkekU3CKiD0a0=
=1x2p
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20160302/2fcb7134/attachment-0001.html

More information about the ZendTo mailing list