[ZendTo] XSS

Charles Sprickman spork at bway.net
Thu Mar 3 19:09:01 GMT 2016



> On Mar 3, 2016, at 4:33 AM, Eythor G. Thorsteinsson <eythort at menandmice.com> wrote:
> 
> Hi,
> 
> the autocomplete="off" is actually ignored by most if not all modern browsers on password fields. 
> 
> See for instance the last paragraph here: https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion <https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion>
It’s also a terrible idea.  People with password managers are more likely to have a complex password.  “Punishing” them by trying to disable saving the password is a terrible idea.

Charles

> 
> --Eythor
> 
>> On 03 Mar 2016, at 09:16, Der PCFreak <mailinglists at pcfreak.de <mailto:mailinglists at pcfreak.de>> wrote:
>> 
>> Hi,
>> 
>> the following patch in /opt/zendto/templates/login.tpl mitigates the minor problem of password autocompletion through login.php:
>> 
>> <       <td><input type="password" id="passwordField" name="password" size="15" value=""/></td>
>> ---
>> >       <!-- <td><input type="password" id="passwordField" name="password" size="15" value=""/></td> -->
>> >       <td><input type="password" id="passwordField" name="password" size="15" value="" autocomplete="off"/></td>
>> 
>> Greets
>> 
>> PCFreak
>> 
>> On 03.03.2016 08:19, Der PCFreak wrote:
>>> Hi Jules,
>>> 
>>> thanks for the quick fix in pickup.php
>>> 
>>> But there seem to be still some problems in pickup.php concerning the 'auth' parameter:
>>> 
>>> Reflected Cross-Site Scripting
>>> ------------------------------
>>> pickup.php
>>> The auth parameter was submitted with the value "--><script>prompt(12345)</script>1t58l<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.
>>> 
>>> pickup.php
>>> The auth parameter was submitted with the value "--><script>prompt(12345)</script>KBY7h<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.
>>> 
>>> HTML Injection
>>> --------------
>>> pickup.php
>>> The auth parameter was submitted with the value <h1>hsusx</h1>, and this value was echoed back verbatim in the resulting page.
>>> 
>>> pickup.php
>>> The auth parameter was submitted with the value <h1>8pamj</h1>, and this value was echoed back verbatim in the resulting page.
>>> 
>>> 
>>> Also an additional problem was found that might be easy to fix:
>>> 
>>> Autocomplete Enabled on Password Field
>>> --------------------------------------
>>> index.php?action=login
>>> Enabling autocomplete on a password field could allow the browser to store a user's password in plain text and show it to anyone using the same computer.
>>> Add 'autocomplete=off' to every password field or login form on the site.
>>> 
>>> 
>>> There are some more minor problems, too!
>>> 
>>> The fix from yesterday for pickup.php only fixed
>>> 
>>> 2 Refelected Cross-Site Scripting
>>> 2 HTML Injection
>>> 
>>> vulnerabilities.
>>> 
>>> Jules, I could send you the entire report via private mail if you want to take a look at it and keep it confidential.
>>> 
>>> And please correct me, if I am wrong with the above!
>>> 
>>> Kind regards and thanks for your work
>>> 
>>> PCFreak
>>> 
>>> 
>>> 
>>> 
>>> On 02.03.2016 18:06, Jules wrote:
>>>> Hi guys!
>>>> 
>>>> Sorry about this one. The fault isn't actually in that line, it's just below it where it says this:
>>>> 
>>>>     if ( isset($recipEmail) && ! preg_match($theDropbox->validEmailRegexp(),$recipEmail) ) {
>>>>       $emailAddr = 'INVALID';
>>>>     }
>>>> 
>>>> Those 2 "$recipEmail" should of course both be "$emailAddr".
>>>> 
>>>> I did carefully check the email address was valid, but put in the wrong variable name to check. :-(
>>>> My bad.
>>>> 
>>>> That should fix it. No need to restart httpd or anything, just save the file and reload the page.
>>>> 
>>>> Cheers,
>>>> Jules.
>>>> 
>>>> P.S. Sorry I haven't done an update in *ages*. 2 questions: (1) What other outstanding bugs/patches are there?, and (2) Is it worth me re-writing the areyouahuman CAPTCHA code for their new one, or is everyone happy with the Google one (reCAPTCHA) that is there already?
>>>> 
>>>> On 02/03/2016 15:28, Karl Bundy wrote:
>>>>> Hi everyone,
>>>>>  
>>>>> It appears that the issue is due to the fact that the email querystring variable is not being sanitized before being used.  I am not a skilled programmer, but I was able to make this simple change to the pickup.php file and it appears to have resolved this XSS issue.  Please use this at your own risk, as it appears to work for me, but your mileage may vary ;)
>>>>>  
>>>>> In the pickup.php file change this line:
>>>>>  
>>>>> $emailAddr = isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL);
>>>>>  
>>>>> to this:
>>>>>  
>>>>> $emailAddr = str_replace('"','',isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL));
>>>>>  
>>>>>  
>>>>> Save the file, and then test again.
>>>>>  
>>>>>  
>>>>> ---Karl Bundy
>>>>>  
>>>>> From: zendto-bounces at zend.to <mailto:zendto-bounces at zend.to> [mailto:zendto-bounces at zend.to <mailto:zendto-bounces at zend.to>] On Behalf Of Der PCFreak
>>>>> Sent: Wednesday, March 02, 2016 6:10 AM
>>>>> To: zendto at zend.to <mailto:zendto at zend.to>
>>>>> Subject: Re: [ZendTo] XSS
>>>>>  
>>>>> Hi,
>>>>> 
>>>>> Barracuda offers their "Barracuda Vulnerability Manager" for free at the moment and I tested it.
>>>>> https://bvm.barracudanetworks.com/ <https://bvm.barracudanetworks.com/>
>>>>> 
>>>>> 
>>>>> Here some of the results pointed at my ZendTo installation:
>>>>> 
>>>>> 
>>>>> Reflected Cross-Site Scripting
>>>>> ==============================
>>>>> https://your.url.tld/pickup.php <https://your.url.tld/pickup.php>
>>>>> Issue Detail
>>>>> The emailAddr parameter was submitted with the value "--><script>prompt(12345)</script>lNYCi<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.
>>>>> 
>>>>> https://your.url.tld/pickup.php <https://your.url.tld/pickup.php>
>>>>> Issue Detail
>>>>> The auth parameter was submitted with the value "--><script>prompt(12345)</script>HyNzQ<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.
>>>>> 
>>>>> https://your.url.tld/pickup.php <https://your.url.tld/pickup.php>
>>>>> Issue Detail
>>>>> The emailAddr parameter was submitted with the value "--><script>prompt(12345)</script>x7RXs<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.
>>>>> 
>>>>> https://your.url.tld/pickup.php <https://your.url.tld/pickup.php>
>>>>> Issue Detail
>>>>> The auth parameter was submitted with the value "--><script>prompt(12345)</script>WqYcq<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.
>>>>> 
>>>>> HTML-Injection
>>>>> ==============
>>>>> https://your.url.tld/pickup.php <https://your.url.tld/pickup.php>
>>>>> Issue Detail
>>>>> The emailAddr parameter was submitted with the value <h1>tjkgr</h1>, and this value was echoed back verbatim in the resulting page.
>>>>> 
>>>>> https://your.url.tld/pickup.php <https://your.url.tld/pickup.php>
>>>>> Issue Detail
>>>>> The auth parameter was submitted with the value <h1>xt90x</h1>, and this value was echoed back verbatim in the resulting page.
>>>>> 
>>>>> https://your.url.tld/pickup.php <https://your.url.tld/pickup.php>
>>>>> Issue Detail
>>>>> The emailAddr parameter was submitted with the value <h1>zrjja</h1>, and this value was echoed back verbatim in the resulting page.
>>>>> View Full HTTP Request and Response
>>>>> 
>>>>> https://your.url.tld/pickup.php <https://your.url.tld/pickup.php>
>>>>> Issue Detail
>>>>> The auth parameter was submitted with the value <h1>anhxx</h1>, and this value was echoed back verbatim in the resulting page.
>>>>> 
>>>>> Kind regards
>>>>> 
>>>>> PCFreak
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> On 01.03.2016 20:14, Chris Venter wrote:
>>>>> Hi 
>>>>> 
>>>>> Our security audit has highlighted a possible reflected cross site scripting error on the pickup.php page,to test we ran 
>>>>> 
>>>>> https://server_name/pickup/php?emailAddr=test <https://server_name/pickup/php?emailAddr=test>" /><script>alert('XSS Test')</script>
>>>>>  
>>>>> Can anyone else confirm if this is an issue?
>>>>> 
>>>>> Thanks
>>>>> CJ
>>>>> 
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> ZendTo mailing list
>>>>> ZendTo at zend.to <mailto:ZendTo at zend.to>
>>>>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto <http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto>
>>>>>  
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> ZendTo mailing list
>>>>> ZendTo at zend.to <mailto:ZendTo at zend.to>
>>>>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto <http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto>
>>>>> Jules
>>>>> 
>>>>> -- 
>>>>> Julian Field MEng MBCS CITP CEng
>>>>> 
>>>>> 
>>>>> www.Zend.To <http://www.zend.to/>
>>>>> Twitter: @JulesFM
>>>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>> 
>>>> 
>>>> _______________________________________________
>>>> ZendTo mailing list
>>>> ZendTo at zend.to <mailto:ZendTo at zend.to>
>>>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto <http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto>
>> 
>> _______________________________________________
>> ZendTo mailing list
>> ZendTo at zend.to <mailto:ZendTo at zend.to>
>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto <http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20160303/33a70157/attachment-0001.html 


More information about the ZendTo mailing list