[ZendTo] XSS

Der PCFreak mailinglists at pcfreak.de
Thu Mar 3 07:19:57 GMT 2016 

Hi Jules,

thanks for the quick fix in pickup.php

But there seem to be still some problems in pickup.php concerning the 
'auth' parameter:

Reflected Cross-Site Scripting
------------------------------
pickup.php
The auth parameter was submitted with the value 
"--><script>prompt(12345)</script>1t58l<!--, and the string was echoed 
verbatim in the output, showing that there is a reflected XSS vulnerability.

pickup.php
The auth parameter was submitted with the value 
"--><script>prompt(12345)</script>KBY7h<!--, and the string was echoed 
verbatim in the output, showing that there is a reflected XSS vulnerability.

HTML Injection
--------------
pickup.php
The auth parameter was submitted with the value <h1>hsusx</h1>, and this 
value was echoed back verbatim in the resulting page.

pickup.php
The auth parameter was submitted with the value <h1>8pamj</h1>, and this 
value was echoed back verbatim in the resulting page.


Also an additional problem was found that might be easy to fix:

Autocomplete Enabled on Password Field
--------------------------------------
index.php?action=login
Enabling autocomplete on a password field could allow the browser to 
store a user's password in plain text and show it to anyone using the 
same computer.
Add 'autocomplete=off' to every password field or login form on the site.


There are some more minor problems, too!

The fix from yesterday for pickup.php only fixed

2 Refelected Cross-Site Scripting
2 HTMLInjection

vulnerabilities.

Jules, I could send you the entire report via private mail if you want 
to take a look at it and keep it confidential.

And please correct me, if I am wrong with the above!

Kind regards and thanks for your work

PCFreak




On 02.03.2016 18:06, Jules wrote:
> Hi guys!
>
> Sorry about this one. The fault isn't actually in that line, it's just 
> below it where it says this:
>
>     if ( isset($recipEmail) && ! 
> preg_match($theDropbox->validEmailRegexp(),$recipEmail) ) {
>       $emailAddr = 'INVALID';
>     }
>
> Those 2 "$recipEmail" should of course both be "$emailAddr".
>
> I did carefully check the email address was valid, but put in the 
> wrong variable name to check. :-(
> My bad.
>
> That should fix it. No need to restart httpd or anything, just save 
> the file and reload the page.
>
> Cheers,
> Jules.
>
> P.S. Sorry I haven't done an update in *ages*. 2 questions: (1) What 
> other outstanding bugs/patches are there?, and (2) Is it worth me 
> re-writing the areyouahuman CAPTCHA code for their new one, or is 
> everyone happy with the Google one (reCAPTCHA) that is there already?
>
> On 02/03/2016 15:28, Karl Bundy wrote:
>>
>> Hi everyone,
>>
>> It appears that the issue is due to the fact that the email 
>> querystring variable is not being sanitized before being used.  I am 
>> not a skilled programmer, but I was able to make this simple change 
>> to the pickup.php file and it appears to have resolved this XSS 
>> issue.  Please use this at your own risk, as it appears to work for 
>> me, but your mileage may vary ;)
>>
>> In the pickup.php file change this line:
>>
>> $emailAddr = 
>> isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL);
>>
>> to this:
>>
>> $emailAddr = 
>> str_replace('"','',isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL));
>>
>> Save the file, and then test again.
>>
>> ---Karl Bundy
>>
>> *From:*zendto-bounces at zend.to [mailto:zendto-bounces at zend.to] *On 
>> Behalf Of *Der PCFreak
>> *Sent:* Wednesday, March 02, 2016 6:10 AM
>> *To:* zendto at zend.to
>> *Subject:* Re: [ZendTo] XSS
>>
>> Hi,
>>
>> Barracuda offers their "Barracuda Vulnerability Manager" for free at 
>> the moment and I tested it.
>> https://bvm.barracudanetworks.com/
>>
>>
>> Here some of the results pointed at my ZendTo installation:
>>
>>
>> Reflected Cross-Site Scripting
>> ==============================
>> https://your.url.tld/pickup.php
>> Issue Detail
>> The emailAddr parameter was submitted with the value 
>> "--><script>prompt(12345)</script>lNYCi<!--, and the string was 
>> echoed verbatim in the output, showing that there is a reflected XSS 
>> vulnerability.
>>
>> https://your.url.tld/pickup.php
>> Issue Detail
>> The auth parameter was submitted with the value 
>> "--><script>prompt(12345)</script>HyNzQ<!--, and the string was 
>> echoed verbatim in the output, showing that there is a reflected XSS 
>> vulnerability.
>>
>> https://your.url.tld/pickup.php
>> Issue Detail
>> The emailAddr parameter was submitted with the value 
>> "--><script>prompt(12345)</script>x7RXs<!--, and the string was 
>> echoed verbatim in the output, showing that there is a reflected XSS 
>> vulnerability.
>>
>> https://your.url.tld/pickup.php
>> Issue Detail
>> The auth parameter was submitted with the value 
>> "--><script>prompt(12345)</script>WqYcq<!--, and the string was 
>> echoed verbatim in the output, showing that there is a reflected XSS 
>> vulnerability.
>>
>> HTML-Injection
>> ==============
>> https://your.url.tld/pickup.php
>> Issue Detail
>> The emailAddr parameter was submitted with the value <h1>tjkgr</h1>, 
>> and this value was echoed back verbatim in the resulting page.
>>
>> https://your.url.tld/pickup.php
>> Issue Detail
>> The auth parameter was submitted with the value <h1>xt90x</h1>, and 
>> this value was echoed back verbatim in the resulting page.
>>
>> https://your.url.tld/pickup.php
>> Issue Detail
>> The emailAddr parameter was submitted with the value <h1>zrjja</h1>, 
>> and this value was echoed back verbatim in the resulting page.
>> View Full HTTP Request and Response
>>
>> https://your.url.tld/pickup.php
>> Issue Detail
>> The auth parameter was submitted with the value <h1>anhxx</h1>, and 
>> this value was echoed back verbatim in the resulting page.
>>
>> Kind regards
>>
>> PCFreak
>>
>>
>>
>>
>> On 01.03.2016 20:14, Chris Venter wrote:
>>
>>     Hi
>>
>>     Our security audit has highlighted a possible reflected cross
>>     site scripting error on the pickup.php page,to test we ran
>>
>>     https://server_name/pickup/php?emailAddr=test"
>>     /><script>alert('XSS Test')</script>
>>
>>     Can anyone else confirm if this is an issue?
>>
>>     Thanks
>>
>>     CJ
>>
>>
>>
>>
>>     _______________________________________________
>>
>>     ZendTo mailing list
>>
>>     ZendTo at zend.to <mailto:ZendTo at zend.to>
>>
>>     http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>>
>>
>>
>> _______________________________________________
>> ZendTo mailing list
>> ZendTo at zend.to
>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>>
>> Jules
>>
>> -- 
>> Julian Field MEng MBCS CITP CEng
>>
>>
>> www.Zend.To
>> Twitter: @JulesFM
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20160303/972facf3/attachment-0001.html

More information about the ZendTo mailing list