[ZendTo] ZendTo Release 4.20-5

[Jules]

Folks,

A few more fairly minor changes:

Version 4.20-5
- Fixed information leak where the ClaimID and Passcode were shown to
   external users when they have made a new drop-off.
- Minor code change to make it work on PHP 5.2 and upwards, instead of 5.3.
- Corrected styling bug that made add multiple recipients box too large
   on Chrome.

The first one is of interest. As was recently pointed out to me, an 
external user could send a drop-off to a non-existent email address 
within your organisation. As the user would be told the ClaimID and 
Passcode allocated to their drop-off, they could construct the URL of 
the pick-up page for that drop-off, which they could then publish to 
anyone anywhere including other users outside your organisation.

Any external user receiving this link would still have to pass the 
CAPTCHA on ZendTo's pick-up page, and they would see who provided the 
service they were downloading it from. So I'm not sure it would be a 
very good way of distributing malicious content. But it could well be 
quite a good way to distribute illegal content that the recipients knew 
was illegal and hence wouldn't care about how they got it or from where.

I have *never* received any reports of this being exploited, so it 
appears to be one the bad guys haven't found yet.

But best to upgrade anyway and seal this hole first.

Jules

-- 
Julian Field MEng MBCS CITP CEng

'It's in Apple's DNA that technology alone is not enough. It's
  technology married with liberal arts, married with the humanities,
  that yields us the result that makes our hearts sing.' - Steve Jobs

www.Zend.To
Twitter: @JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654