[ZendTo] XSS

Keith Erekson kbe2 at lehigh.edu
Wed Mar 2 18:29:05 GMT 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I can confirm that this fixes the issue.

For the Debian package, here is the patch for /opt/zendto/www/pickup.php:

- --- pickup.php.old    2016-03-02 13:25:27.000000000 -0500
+++ pickup.php    2016-03-02 13:25:30.000000000 -0500
@@ -180,7 +180,7 @@
 
     $claimID = preg_replace('/[^a-zA-Z0-9]/', '', $claimID);
     $claimPasscode = preg_replace('/[^a-zA-Z0-9]/', '', $claimPasscode);
- -    if ( isset($recipEmail) && !
preg_match($theDropbox->validEmailRegexp(),$recipEmail) ) {
+    if ( isset($emailAddr) && !
preg_match($theDropbox->validEmailRegexp(),$emailAddr) ) {
       $emailAddr = 'INVALID';
     }
 


On 03/02/2016 12:06 PM, Jules wrote:
> Hi guys!
>
> Sorry about this one. The fault isn't actually in that line, it's just
below it where it says this:
>
>     if ( isset($recipEmail) && !
preg_match($theDropbox->validEmailRegexp(),$recipEmail) ) {
>       $emailAddr = 'INVALID';
>     }
>
> Those 2 "$recipEmail" should of course both be "$emailAddr".
>
> I did carefully check the email address was valid, but put in the
wrong variable name to check. :-(
> My bad.
>
> That should fix it. No need to restart httpd or anything, just save
the file and reload the page.
>
> Cheers,
> Jules.
>
> P.S. Sorry I haven't done an update in *ages*. 2 questions: (1) What
other outstanding bugs/patches are there?, and (2) Is it worth me
re-writing the areyouahuman CAPTCHA code for their new one, or is
everyone happy with the Google one (reCAPTCHA) that is there already?
>
> On 02/03/2016 15:28, Karl Bundy wrote:
>>
>> Hi everyone,
>>
>> 
>>
>> It appears that the issue is due to the fact that the email
querystring variable is not being sanitized before being used.  I am not
a skilled programmer, but I was able to make this simple change to the
pickup.php file and it appears to have resolved this XSS issue.  Please
use this at your own risk, as it appears to work for me, but your
mileage may vary ;)
>>
>> 
>>
>> In the pickup.php file change this line:
>>
>> 
>>
>> $emailAddr =
isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL);
>>
>> 
>>
>> to this:
>>
>> 
>>
>> $emailAddr =
str_replace('"','',isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL));
>>
>> 
>>
>> 
>>
>> Save the file, and then test again.
>>
>> 
>>
>> 
>>
>> ---Karl Bundy
>>
>> 
>>
>> *From:*zendto-bounces at zend.to [mailto:zendto-bounces at zend.to] *On
Behalf Of *Der PCFreak
>> *Sent:* Wednesday, March 02, 2016 6:10 AM
>> *To:* zendto at zend.to
>> *Subject:* Re: [ZendTo] XSS
>>
>> 
>>
>> Hi,
>>
>> Barracuda offers their "Barracuda Vulnerability Manager" for free at
the moment and I tested it.
>> https://bvm.barracudanetworks.com/
>>
>>
>> Here some of the results pointed at my ZendTo installation:
>>
>>
>> Reflected Cross-Site Scripting
>> ==============================
>> https://your.url.tld/pickup.php
>> Issue Detail
>> The emailAddr parameter was submitted with the value
"--><script>prompt(12345)</script>lNYCi<!--, and the string was echoed
verbatim in the output, showing that there is a reflected XSS vulnerability.
>>
>> https://your.url.tld/pickup.php
>> Issue Detail
>> The auth parameter was submitted with the value
"--><script>prompt(12345)</script>HyNzQ<!--, and the string was echoed
verbatim in the output, showing that there is a reflected XSS vulnerability.
>>
>> https://your.url.tld/pickup.php
>> Issue Detail
>> The emailAddr parameter was submitted with the value
"--><script>prompt(12345)</script>x7RXs<!--, and the string was echoed
verbatim in the output, showing that there is a reflected XSS vulnerability.
>>
>> https://your.url.tld/pickup.php
>> Issue Detail
>> The auth parameter was submitted with the value
"--><script>prompt(12345)</script>WqYcq<!--, and the string was echoed
verbatim in the output, showing that there is a reflected XSS vulnerability.
>>
>> HTML-Injection
>> ==============
>> https://your.url.tld/pickup.php
>> Issue Detail
>> The emailAddr parameter was submitted with the value <h1>tjkgr</h1>,
and this value was echoed back verbatim in the resulting page.
>>
>> https://your.url.tld/pickup.php
>> Issue Detail
>> The auth parameter was submitted with the value <h1>xt90x</h1>, and
this value was echoed back verbatim in the resulting page.
>>
>> https://your.url.tld/pickup.php
>> Issue Detail
>> The emailAddr parameter was submitted with the value <h1>zrjja</h1>,
and this value was echoed back verbatim in the resulting page.
>> View Full HTTP Request and Response
>>
>> https://your.url.tld/pickup.php
>> Issue Detail
>> The auth parameter was submitted with the value <h1>anhxx</h1>, and
this value was echoed back verbatim in the resulting page.
>>
>> Kind regards
>>
>> PCFreak
>>
>>
>>
>>
>> On 01.03.2016 20:14, Chris Venter wrote:
>>
>>     Hi
>>
>>     Our security audit has highlighted a possible reflected cross
site scripting error on the pickup.php page,to test we ran
>>
>>     https://server_name/pickup/php?emailAddr=test"
/><script>alert('XSS Test')</script>
>>
>>     
>>
>>     Can anyone else confirm if this is an issue?
>>
>>     Thanks
>>
>>     CJ
>>
>>
>>
>>
>>     _______________________________________________
>>
>>     ZendTo mailing list
>>
>>     ZendTo at zend.to <mailto:ZendTo at zend.to>
>>
>>     http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>>
>> 
>>
>>
>>
>> _______________________________________________
>> ZendTo mailing list
>> ZendTo at zend.to
>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>>
>> Jules
>>
>> --
>> Julian Field MEng MBCS CITP CEng
>>
>>
>> www.Zend.To
>> Twitter: @JulesFM
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJW1zDuAAoJEMdFVhhDm2SFvU4H/3ql/g9ugTk9c4oclyU9ZKeX
oOd0/ZIJ0wQLEqejDkXVj8QzP2651C+8RBt96vGJMQx7N7SowfGUqOQZtKwK2hlA
B5bGzI/MXcpvolhb7GCI5LlBnfmau5L1qtRzqHJbtXgoW5k2TicEXzKpOUZwj9/J
y8HTmO8f/rqUREG3kdmQrLsqHsAbUzz63uV8ocLLPTsDq9hBNMrLlW/OtrWJ3sWk
MvKTh6PGwYMl4nLiObGoA0hYPnzzTYNv2kPLG8XeZqSp/btr3tPPadZ6NmoLYyDm
uX6G3ywdW5jAJZj2oUHu7hc6FCyItV/WewvdVDvuagecDmuVTB8zOF5J/rpQkOM=
=rcZ8
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20160302/b7a47139/attachment.html

More information about the ZendTo mailing list