[ZendTo] XSS
Der PCFreak
mailinglists at pcfreak.de
Thu Mar 3 09:16:22 GMT 2016
Hi,
the following patch in /opt/zendto/templates/login.tpl mitigates the
minor problem of password autocompletion through login.php:
< <td><input type="password" id="passwordField" name="password"
size="15" value=""/></td>
---
> <!-- <td><input type="password" id="passwordField"
name="password" size="15" value=""/></td> -->
> <td><input type="password" id="passwordField" name="password"
size="15" value=""autocomplete="off"/></td>
Greets
PCFreak
On 03.03.2016 08:19, Der PCFreak wrote:
> Hi Jules,
>
> thanks for the quick fix in pickup.php
>
> But there seem to be still some problems in pickup.php concerning the
> 'auth' parameter:
>
> Reflected Cross-Site Scripting
> ------------------------------
> pickup.php
> The auth parameter was submitted with the value
> "--><script>prompt(12345)</script>1t58l<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS
> vulnerability.
>
> pickup.php
> The auth parameter was submitted with the value
> "--><script>prompt(12345)</script>KBY7h<!--, and the string was echoed
> verbatim in the output, showing that there is a reflected XSS
> vulnerability.
>
> HTML Injection
> --------------
> pickup.php
> The auth parameter was submitted with the value <h1>hsusx</h1>, and
> this value was echoed back verbatim in the resulting page.
>
> pickup.php
> The auth parameter was submitted with the value <h1>8pamj</h1>, and
> this value was echoed back verbatim in the resulting page.
>
>
> Also an additional problem was found that might be easy to fix:
>
> Autocomplete Enabled on Password Field
> --------------------------------------
> index.php?action=login
> Enabling autocomplete on a password field could allow the browser to
> store a user's password in plain text and show it to anyone using the
> same computer.
> Add 'autocomplete=off' to every password field or login form on the site.
>
>
> There are some more minor problems, too!
>
> The fix from yesterday for pickup.php only fixed
>
> 2 Refelected Cross-Site Scripting
> 2 HTMLInjection
>
> vulnerabilities.
>
> Jules, I could send you the entire report via private mail if you want
> to take a look at it and keep it confidential.
>
> And please correct me, if I am wrong with the above!
>
> Kind regards and thanks for your work
>
> PCFreak
>
>
>
>
> On 02.03.2016 18:06, Jules wrote:
>> Hi guys!
>>
>> Sorry about this one. The fault isn't actually in that line, it's
>> just below it where it says this:
>>
>> if ( isset($recipEmail) && !
>> preg_match($theDropbox->validEmailRegexp(),$recipEmail) ) {
>> $emailAddr = 'INVALID';
>> }
>>
>> Those 2 "$recipEmail" should of course both be "$emailAddr".
>>
>> I did carefully check the email address was valid, but put in the
>> wrong variable name to check. :-(
>> My bad.
>>
>> That should fix it. No need to restart httpd or anything, just save
>> the file and reload the page.
>>
>> Cheers,
>> Jules.
>>
>> P.S. Sorry I haven't done an update in *ages*. 2 questions: (1) What
>> other outstanding bugs/patches are there?, and (2) Is it worth me
>> re-writing the areyouahuman CAPTCHA code for their new one, or is
>> everyone happy with the Google one (reCAPTCHA) that is there already?
>>
>> On 02/03/2016 15:28, Karl Bundy wrote:
>>>
>>> Hi everyone,
>>>
>>> It appears that the issue is due to the fact that the email
>>> querystring variable is not being sanitized before being used. I am
>>> not a skilled programmer, but I was able to make this simple change
>>> to the pickup.php file and it appears to have resolved this XSS
>>> issue. Please use this at your own risk, as it appears to work for
>>> me, but your mileage may vary ;)
>>>
>>> In the pickup.php file change this line:
>>>
>>> $emailAddr =
>>> isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL);
>>>
>>> to this:
>>>
>>> $emailAddr =
>>> str_replace('"','',isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL));
>>>
>>> Save the file, and then test again.
>>>
>>> ---Karl Bundy
>>>
>>> *From:*zendto-bounces at zend.to [mailto:zendto-bounces at zend.to] *On
>>> Behalf Of *Der PCFreak
>>> *Sent:* Wednesday, March 02, 2016 6:10 AM
>>> *To:* zendto at zend.to
>>> *Subject:* Re: [ZendTo] XSS
>>>
>>> Hi,
>>>
>>> Barracuda offers their "Barracuda Vulnerability Manager" for free at
>>> the moment and I tested it.
>>> https://bvm.barracudanetworks.com/
>>>
>>>
>>> Here some of the results pointed at my ZendTo installation:
>>>
>>>
>>> Reflected Cross-Site Scripting
>>> ==============================
>>> https://your.url.tld/pickup.php
>>> Issue Detail
>>> The emailAddr parameter was submitted with the value
>>> "--><script>prompt(12345)</script>lNYCi<!--, and the string was
>>> echoed verbatim in the output, showing that there is a reflected XSS
>>> vulnerability.
>>>
>>> https://your.url.tld/pickup.php
>>> Issue Detail
>>> The auth parameter was submitted with the value
>>> "--><script>prompt(12345)</script>HyNzQ<!--, and the string was
>>> echoed verbatim in the output, showing that there is a reflected XSS
>>> vulnerability.
>>>
>>> https://your.url.tld/pickup.php
>>> Issue Detail
>>> The emailAddr parameter was submitted with the value
>>> "--><script>prompt(12345)</script>x7RXs<!--, and the string was
>>> echoed verbatim in the output, showing that there is a reflected XSS
>>> vulnerability.
>>>
>>> https://your.url.tld/pickup.php
>>> Issue Detail
>>> The auth parameter was submitted with the value
>>> "--><script>prompt(12345)</script>WqYcq<!--, and the string was
>>> echoed verbatim in the output, showing that there is a reflected XSS
>>> vulnerability.
>>>
>>> HTML-Injection
>>> ==============
>>> https://your.url.tld/pickup.php
>>> Issue Detail
>>> The emailAddr parameter was submitted with the value <h1>tjkgr</h1>,
>>> and this value was echoed back verbatim in the resulting page.
>>>
>>> https://your.url.tld/pickup.php
>>> Issue Detail
>>> The auth parameter was submitted with the value <h1>xt90x</h1>, and
>>> this value was echoed back verbatim in the resulting page.
>>>
>>> https://your.url.tld/pickup.php
>>> Issue Detail
>>> The emailAddr parameter was submitted with the value <h1>zrjja</h1>,
>>> and this value was echoed back verbatim in the resulting page.
>>> View Full HTTP Request and Response
>>>
>>> https://your.url.tld/pickup.php
>>> Issue Detail
>>> The auth parameter was submitted with the value <h1>anhxx</h1>, and
>>> this value was echoed back verbatim in the resulting page.
>>>
>>> Kind regards
>>>
>>> PCFreak
>>>
>>>
>>>
>>>
>>> On 01.03.2016 20:14, Chris Venter wrote:
>>>
>>> Hi
>>>
>>> Our security audit has highlighted a possible reflected cross
>>> site scripting error on the pickup.php page,to test we ran
>>>
>>> https://server_name/pickup/php?emailAddr=test"
>>> /><script>alert('XSS Test')</script>
>>>
>>> Can anyone else confirm if this is an issue?
>>>
>>> Thanks
>>>
>>> CJ
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>>
>>> ZendTo mailing list
>>>
>>> ZendTo at zend.to <mailto:ZendTo at zend.to>
>>>
>>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>>>
>>>
>>>
>>> _______________________________________________
>>> ZendTo mailing list
>>> ZendTo at zend.to
>>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>>>
>>> Jules
>>>
>>> --
>>> Julian Field MEng MBCS CITP CEng
>>>
>>>
>>> www.Zend.To
>>> Twitter: @JulesFM
>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>
>>
>> _______________________________________________
>> ZendTo mailing list
>> ZendTo at zend.to
>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20160303/1e52d7ca/attachment-0001.html
More information about the ZendTo
mailing list