[ZendTo] XSS

Eythor G. Thorsteinsson eythort at menandmice.com
Thu Mar 3 09:33:20 GMT 2016 

Hi,

the autocomplete="off" is actually ignored by most if not all modern browsers on password fields.

See for instance the last paragraph here: https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion

--Eythor

On 03 Mar 2016, at 09:16, Der PCFreak <mailinglists at pcfreak.de<mailto:mailinglists at pcfreak.de>> wrote:

Hi,

the following patch in /opt/zendto/templates/login.tpl mitigates the minor problem of password autocompletion through login.php:

<       <td><input type="password" id="passwordField" name="password" size="15" value=""/></td>
---
>       <!-- <td><input type="password" id="passwordField" name="password" size="15" value=""/></td> -->
>       <td><input type="password" id="passwordField" name="password" size="15" value="" autocomplete="off"/></td>

Greets

PCFreak

On 03.03.2016 08:19, Der PCFreak wrote:
Hi Jules,

thanks for the quick fix in pickup.php

But there seem to be still some problems in pickup.php concerning the 'auth' parameter:

Reflected Cross-Site Scripting
------------------------------
pickup.php
The auth parameter was submitted with the value "--><script>prompt(12345)</script>1t58l<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.

pickup.php
The auth parameter was submitted with the value "--><script>prompt(12345)</script>KBY7h<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.

HTML Injection
--------------
pickup.php
The auth parameter was submitted with the value <h1>hsusx</h1>, and this value was echoed back verbatim in the resulting page.

pickup.php
The auth parameter was submitted with the value <h1>8pamj</h1>, and this value was echoed back verbatim in the resulting page.


Also an additional problem was found that might be easy to fix:

Autocomplete Enabled on Password Field
--------------------------------------
index.php?action=login
Enabling autocomplete on a password field could allow the browser to store a user's password in plain text and show it to anyone using the same computer.
Add 'autocomplete=off' to every password field or login form on the site.


There are some more minor problems, too!

The fix from yesterday for pickup.php only fixed

2 Refelected Cross-Site Scripting
2 HTML Injection

vulnerabilities.

Jules, I could send you the entire report via private mail if you want to take a look at it and keep it confidential.

And please correct me, if I am wrong with the above!

Kind regards and thanks for your work

PCFreak




On 02.03.2016 18:06, Jules wrote:
Hi guys!

Sorry about this one. The fault isn't actually in that line, it's just below it where it says this:

    if ( isset($recipEmail) && ! preg_match($theDropbox->validEmailRegexp(),$recipEmail) ) {
      $emailAddr = 'INVALID';
    }

Those 2 "$recipEmail" should of course both be "$emailAddr".

I did carefully check the email address was valid, but put in the wrong variable name to check. :-(
My bad.

That should fix it. No need to restart httpd or anything, just save the file and reload the page.

Cheers,
Jules.

P.S. Sorry I haven't done an update in *ages*. 2 questions: (1) What other outstanding bugs/patches are there?, and (2) Is it worth me re-writing the areyouahuman CAPTCHA code for their new one, or is everyone happy with the Google one (reCAPTCHA) that is there already?

On 02/03/2016 15:28, Karl Bundy wrote:
Hi everyone,

It appears that the issue is due to the fact that the email querystring variable is not being sanitized before being used.  I am not a skilled programmer, but I was able to make this simple change to the pickup.php file and it appears to have resolved this XSS issue.  Please use this at your own risk, as it appears to work for me, but your mileage may vary ;)

In the pickup.php file change this line:

$emailAddr = isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL);

to this:

$emailAddr = str_replace('"','',isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL));


Save the file, and then test again.


---Karl Bundy

From: zendto-bounces at zend.to<mailto:zendto-bounces at zend.to> [mailto:zendto-bounces at zend.to] On Behalf Of Der PCFreak
Sent: Wednesday, March 02, 2016 6:10 AM
To: zendto at zend.to<mailto:zendto at zend.to>
Subject: Re: [ZendTo] XSS

Hi,

Barracuda offers their "Barracuda Vulnerability Manager" for free at the moment and I tested it.
https://bvm.barracudanetworks.com/


Here some of the results pointed at my ZendTo installation:


Reflected Cross-Site Scripting
==============================
https://your.url.tld/pickup.php
Issue Detail
The emailAddr parameter was submitted with the value "--><script>prompt(12345)</script>lNYCi<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.

https://your.url.tld/pickup.php
Issue Detail
The auth parameter was submitted with the value "--><script>prompt(12345)</script>HyNzQ<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.

https://your.url.tld/pickup.php
Issue Detail
The emailAddr parameter was submitted with the value "--><script>prompt(12345)</script>x7RXs<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.

https://your.url.tld/pickup.php
Issue Detail
The auth parameter was submitted with the value "--><script>prompt(12345)</script>WqYcq<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.

HTML-Injection
==============
https://your.url.tld/pickup.php
Issue Detail
The emailAddr parameter was submitted with the value <h1>tjkgr</h1>, and this value was echoed back verbatim in the resulting page.

https://your.url.tld/pickup.php
Issue Detail
The auth parameter was submitted with the value <h1>xt90x</h1>, and this value was echoed back verbatim in the resulting page.

https://your.url.tld/pickup.php
Issue Detail
The emailAddr parameter was submitted with the value <h1>zrjja</h1>, and this value was echoed back verbatim in the resulting page.
View Full HTTP Request and Response

https://your.url.tld/pickup.php
Issue Detail
The auth parameter was submitted with the value <h1>anhxx</h1>, and this value was echoed back verbatim in the resulting page.

Kind regards

PCFreak




On 01.03.2016 20:14, Chris Venter wrote:
Hi
Our security audit has highlighted a possible reflected cross site scripting error on the pickup.php page,to test we ran

https://server_name/pickup/php?emailAddr=test" /><script>alert('XSS Test')</script>

Can anyone else confirm if this is an issue?
Thanks
CJ




_______________________________________________

ZendTo mailing list

ZendTo at zend.to<mailto:ZendTo at zend.to>

http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto





_______________________________________________
ZendTo mailing list
ZendTo at zend.to<mailto:ZendTo at zend.to>
http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto


Jules

--
Julian Field MEng MBCS CITP CEng


www.Zend.To<http://www.zend.to/>
Twitter: @JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654




_______________________________________________
ZendTo mailing list
ZendTo at zend.to<mailto:ZendTo at zend.to>
http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto


_______________________________________________
ZendTo mailing list
ZendTo at zend.to<mailto:ZendTo at zend.to>
http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20160303/54660a2d/attachment-0001.html

More information about the ZendTo mailing list