[ZendTo] XSS

Chris Venter chris.venter1 at gmail.com
Wed Mar 2 22:15:13 GMT 2016 

I can also confirm the fix from Jules has worked, Thanks for the help all,
as for the other questions reCAPTCHA is fine for our use.

Cheers
C

On 2 March 2016 at 18:29, Keith Erekson <kbe2 at lehigh.edu> wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> I can confirm that this fixes the issue.
>
> For the Debian package, here is the patch for /opt/zendto/www/pickup.php:
>
> - --- pickup.php.old    2016-03-02 13:25:27.000000000 -0500
> +++ pickup.php    2016-03-02 13:25:30.000000000 -0500
> @@ -180,7 +180,7 @@
>
>      $claimID = preg_replace('/[^a-zA-Z0-9]/', '', $claimID);
>      $claimPasscode = preg_replace('/[^a-zA-Z0-9]/', '', $claimPasscode);
> - -    if ( isset($recipEmail) && !
> preg_match($theDropbox->validEmailRegexp(),$recipEmail) ) {
> +    if ( isset($emailAddr) && !
> preg_match($theDropbox->validEmailRegexp(),$emailAddr) ) {
>        $emailAddr = 'INVALID';
>      }
>
>
>
> On 03/02/2016 12:06 PM, Jules wrote:
> > Hi guys!
> >
> > Sorry about this one. The fault isn't actually in that line, it's just
> below it where it says this:
> >
> >     if ( isset($recipEmail) && !
> preg_match($theDropbox->validEmailRegexp(),$recipEmail) ) {
> >       $emailAddr = 'INVALID';
> >     }
> >
> > Those 2 "$recipEmail" should of course both be "$emailAddr".
> >
> > I did carefully check the email address was valid, but put in the wrong
> variable name to check. :-(
> > My bad.
> >
> > That should fix it. No need to restart httpd or anything, just save the
> file and reload the page.
> >
> > Cheers,
> > Jules.
> >
> > P.S. Sorry I haven't done an update in *ages*. 2 questions: (1) What
> other outstanding bugs/patches are there?, and (2) Is it worth me
> re-writing the areyouahuman CAPTCHA code for their new one, or is everyone
> happy with the Google one (reCAPTCHA) that is there already?
> >
> > On 02/03/2016 15:28, Karl Bundy wrote:
> >>
> >> Hi everyone,
> >>
> >>
> >>
> >> It appears that the issue is due to the fact that the email querystring
> variable is not being sanitized before being used.  I am not a skilled
> programmer, but I was able to make this simple change to the pickup.php
> file and it appears to have resolved this XSS issue.  Please use this at
> your own risk, as it appears to work for me, but your mileage may vary ;)
> >>
> >>
> >>
> >> In the pickup.php file change this line:
> >>
> >>
> >>
> >> $emailAddr =
> isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL);
> >>
> >>
> >>
> >> to this:
> >>
> >>
> >>
> >> $emailAddr =
> str_replace('"','',isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL));
> >>
> >>
> >>
> >>
> >>
> >> Save the file, and then test again.
> >>
> >>
> >>
> >>
> >>
> >> ---Karl Bundy
> >>
> >>
> >>
> >> *From:*zendto-bounces at zend.to [mailto:zendto-bounces at zend.to
> <zendto-bounces at zend.to>] *On Behalf Of *Der PCFreak
> >> *Sent:* Wednesday, March 02, 2016 6:10 AM
> >> *To:* zendto at zend.to
> >> *Subject:* Re: [ZendTo] XSS
>
> >>
> >>
> >>
> >> Hi,
> >>
> >> Barracuda offers their "Barracuda Vulnerability Manager" for free at
> the moment and I tested it.
> >> https://bvm.barracudanetworks.com/
> >>
> >>
> >> Here some of the results pointed at my ZendTo installation:
> >>
> >>
> >> Reflected Cross-Site Scripting
> >> ==============================
> >> https://your.url.tld/pickup.php
> >> Issue Detail
> >> The emailAddr parameter was submitted with the value
> "--><script>prompt(12345)</script>lNYCi<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS vulnerability.
> >>
> >> https://your.url.tld/pickup.php
> >> Issue Detail
> >> The auth parameter was submitted with the value
> "--><script>prompt(12345)</script>HyNzQ<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS vulnerability.
> >>
> >> https://your.url.tld/pickup.php
> >> Issue Detail
> >> The emailAddr parameter was submitted with the value
> "--><script>prompt(12345)</script>x7RXs<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS vulnerability.
> >>
> >> https://your.url.tld/pickup.php
> >> Issue Detail
> >> The auth parameter was submitted with the value
> "--><script>prompt(12345)</script>WqYcq<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS vulnerability.
> >>
> >> HTML-Injection
> >> ==============
> >> https://your.url.tld/pickup.php
> >> Issue Detail
> >> The emailAddr parameter was submitted with the value <h1>tjkgr</h1>,
> and this value was echoed back verbatim in the resulting page.
> >>
> >> https://your.url.tld/pickup.php
> >> Issue Detail
> >> The auth parameter was submitted with the value <h1>xt90x</h1>, and
> this value was echoed back verbatim in the resulting page.
> >>
> >> https://your.url.tld/pickup.php
> >> Issue Detail
> >> The emailAddr parameter was submitted with the value <h1>zrjja</h1>,
> and this value was echoed back verbatim in the resulting page.
> >> View Full HTTP Request and Response
> >>
> >> https://your.url.tld/pickup.php
> >> Issue Detail
> >> The auth parameter was submitted with the value <h1>anhxx</h1>, and
> this value was echoed back verbatim in the resulting page.
> >>
> >> Kind regards
> >>
> >> PCFreak
> >>
> >>
> >>
> >>
> >> On 01.03.2016 20:14, Chris Venter wrote:
> >>
> >>     Hi
> >>
> >>     Our security audit has highlighted a possible reflected cross site
> scripting error on the pickup.php page,to test we ran
> >>
> >>     https://server_name/pickup/php?emailAddr=test"
> /><script>alert('XSS Test')</script>
> >>
> >>
> >>
> >>     Can anyone else confirm if this is an issue?
> >>
> >>     Thanks
> >>
> >>     CJ
> >>
> >>
> >>
> >>
> >>     _______________________________________________
> >>
> >>     ZendTo mailing list
> >>
> >>     ZendTo at zend.to <mailto:ZendTo at zend.to> <ZendTo at zend.to>
> >>
> >>     http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
> >>
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> ZendTo mailing list
> >> ZendTo at zend.to
> >> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
> >>
> >> Jules
> >>
> >> --
> >> Julian Field MEng MBCS CITP CEng
> >>
> >>
> >> www.Zend.To
> >> Twitter: @JulesFM
> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >
> >
> > _______________________________________________
> > ZendTo mailing list
> > ZendTo at zend.to
> > http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
>
> iQEcBAEBCAAGBQJW1zDuAAoJEMdFVhhDm2SFvU4H/3ql/g9ugTk9c4oclyU9ZKeX
> oOd0/ZIJ0wQLEqejDkXVj8QzP2651C+8RBt96vGJMQx7N7SowfGUqOQZtKwK2hlA
> B5bGzI/MXcpvolhb7GCI5LlBnfmau5L1qtRzqHJbtXgoW5k2TicEXzKpOUZwj9/J
> y8HTmO8f/rqUREG3kdmQrLsqHsAbUzz63uV8ocLLPTsDq9hBNMrLlW/OtrWJ3sWk
> MvKTh6PGwYMl4nLiObGoA0hYPnzzTYNv2kPLG8XeZqSp/btr3tPPadZ6NmoLYyDm
> uX6G3ywdW5jAJZj2oUHu7hc6FCyItV/WewvdVDvuagecDmuVTB8zOF5J/rpQkOM=
> =rcZ8
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20160302/b08347a3/attachment-0001.html

More information about the ZendTo mailing list