[ZendTo] Zend.to & Nessus Scans

Harris, David D.J.Harris at tees.ac.uk
Mon Jan 23 10:38:19 GMT 2017


Hi folks,

We've got the latest version running on CentOS (6.8).

We're in the process of having an institutional pentest/vulnerability scan done, and the contractor has highlighted a potential issue with ZendTo.
I've seen an initial copy of the contractors scan outcome, and I've replicated the scan with our Nessus scanner - with the same result.

The Nessus plugin that ZendTo has tripped up on is a one that is (in Nessus own words) "is prone to false positives."  I'm not convinced that this is exploitable (I'll await the full report from the PenTest contractor) and see where we go from there.
The Nessus plugin that has caused the issue is this one -  https://www.tenable.com/plugins/index.php?view=single&id=42424

I've supplied the results from the Nessus scanner below, and I'd really appreciate any comments or feedback on this (as I'm in no way, shape, or form a developer!)

The output from the scan on our installation is as follows; I can supply any other details of the scan on request.
Thanks in advance for your comments!

Thanks
Dave


Using the GET HTTP method, Nessus found that :

+ The following resources may be vulnerable to blind SQL injection :

+ The 'claimID' parameter of the /pickup.php CGI :

/pickup.php?emailAddr=&Action=Pickup&auth=&claimPasscode=&claimID=zz&Act
ion=Pickup&auth=&claimPasscode=&claimID=yy

-------- output --------
  <form name="pickupcheck" method="post" action="https://zendto.te [...]
      <input type="hidden" name="Action" value="Pickup"/>
      <input type="hidden" name="claimID" value=""/>
      <input type="hidden" name="claimPasscode" value=""/>
      <input type="hidden" name="emailAddr" value="INVALID"/>
-------- vs --------
  <form name="pickupcheck" method="post" action="https://zendto.te [...]
      <input type="hidden" name="Action" value="Pickup"/>
      <input type="hidden" name="claimID" value="yy"/>
      <input type="hidden" name="claimPasscode" value=""/>
      <input type="hidden" name="emailAddr" value="INVALID"/>
------------------------

+ The 'claimPasscode' parameter of the /pickup.php CGI :

/pickup.php?emailAddr=&Action=Pickup&auth=&claimID=&claimPasscode=zz&Act
ion=Pickup&auth=&claimID=&claimPasscode=yy

-------- output --------
      <input type="hidden" name="Action" value="Pickup"/>
      <input type="hidden" name="claimID" value=""/>
      <input type="hidden" name="claimPasscode" value=""/>
      <input type="hidden" name="emailAddr" value="INVALID"/>
      <input type="hidden" name="auth" value=""/>
-------- vs --------
      <input type="hidden" name="Action" value="Pickup"/>
      <input type="hidden" name="claimID" value=""/>
      <input type="hidden" name="claimPasscode" value="yy"/>
      <input type="hidden" name="emailAddr" value="INVALID"/>
      <input type="hidden" name="auth" value=""/>
------------------------

/pickup.php?emailAddr=&Action=Pickup&auth=&claimID=&claimPasscode=zz&Act
ion=Pickup&auth=&claimID=&claimPasscode=yy {2}

-------- output --------
      <input type="hidden" name="Action" value="Pickup"/>
      <input type="hidden" name="claimID" value=""/>
      <input type="hidden" name="claimPasscode" value=""/>
      <input type="hidden" name="emailAddr" value="INVALID"/>
      <input type="hidden" name="auth" value=""/>
-------- vs --------
      <input type="hidden" name="Action" value="Pickup"/>
      <input type="hidden" name="claimID" value=""/>
      <input type="hidden" name="claimPasscode" value="yy"/>
      <input type="hidden" name="emailAddr" value="INVALID"/>
      <input type="hidden" name="auth" value=""/>
------------------------


Using the POST HTTP method, Nessus found that :

+ The following resources may be vulnerable to blind SQL injection :

+ The 'Action' parameter of the /pickup.php CGI :

/pickup.php [emailAddr=&auth=&claimID=&claimPasscode=&Action=Pickupzz&au
th=&claimID=&claimPasscode=&Action=Pickupyy]

-------- output --------
        <div id="container">

        <div id="error">
            <table class="UD_error" width="50%">
                      <tr>
-------- vs --------
        <div id="container">


  <form name="pickupcheck" method="post" action="https://zendto.te [...]
      <input type="hidden" name="Action" value="Pickup"/>
------------------------

+ The 'auth' parameter of the /pickup.php CGI :

/pickup.php [emailAddr=&Action=Pickup&claimID=&claimPasscode=&auth=zz&Ac
tion=Pickup&claimID=&claimPasscode=&auth=yy]

-------- output --------
                      <tr>
                <td valign="middle" rowspan="2"><img src="images/error-ic [...]
                <td class="UD_error_title">Are you a real person?</td>
              </tr>
              <tr>
-------- vs --------
                      <tr>
                <td valign="middle" rowspan="2"><img src="images/error-ic [...]
                <td class="UD_error_title">Authentication Failure</td>
              </tr>
              <tr>
------------------------

+ The 'Action' parameter of the /verify.php CGI :

/verify.php [senderOrganization=&req=&senderEmail=&senderName=&Action=ve
rifyzz&req=&senderEmail=&senderName=&Action=verifyyy]

-------- output --------
        <div id="container">

        <div id="error">
            <table class="UD_error" width="50%">
                      <tr>
-------- vs --------
        <div id="container">


<script type="text/javascript">
<!--
------------------------

+ The 'req' parameter of the /verify.php CGI :

/verify.php [senderOrganization=&Action=verify&senderEmail=&senderName=&
req=zz&Action=verify&senderEmail=&senderName=&req=yy]

-------- output --------
                      <tr>
                <td valign="middle" rowspan="2"><img src="images/error-ic [...]
                <td class="UD_error_title">Are you a real person?</td>
              </tr>
              <tr>
-------- vs --------
                      <tr>
                <td valign="middle" rowspan="2"><img src="images/error-ic [...]
                <td class="UD_error_title">Verify error</td>
              </tr>
              <tr>
------------------------

+ The 'senderEmail' parameter of the /verify.php CGI :

/verify.php [senderOrganization=&Action=verify&req=&senderName=&senderEm
ail=zz&Action=verify&req=&senderName=&senderEmail=yy]

-------- output --------
            <tr>
              <td align="right"><label for="senderEmail">Your emai [...]
              <td width="60%"><input type="text" id="senderEmail" name="
senderEmail" size="45" value="" class="UITextBox" /><font style="font-si
ze:9px">(required)</font></td>
            </tr>

-------- vs --------
            <tr>
              <td align="right"><label for="senderEmail">Your emai [...]
              <td width="60%"><input type="text" id="senderEmail" name="
senderEmail" size="45" value="yy" class="UITextBox" /><font style="font-
size:9px">(required)</font></td>
            </tr>
------------------------

+ The 'senderName' parameter of the /verify.php CGI :

/verify.php [senderOrganization=&Action=verify&req=&senderEmail=&senderN
ame=zz&Action=verify&req=&senderEmail=&senderName=yy]

-------- output --------
            <tr>
              <td align="right"><label for="senderName">Your name: [...]
              <td width="60%"><input type="text" id="senderName" name="s
enderName" size="45" value="" class="UITextBox" /><font style="font-size
:9px">(required)</font></td>
            </tr>

-------- vs --------
            <tr>
              <td align="right"><label for="senderName">Your name: [...]
              <td width="60%"><input type="text" id="senderName" name="s
enderName" size="45" value="yy" class="UITextBox" /><font style="font-si
ze:9px">(required)</font></td>
            </tr>
------------------------

/verify.php [senderOrganization=&Action=verify&req=&senderEmail=&senderN
ame=zz&Action=verify&req=&senderEmail=&senderName=yy] {2}

-------- output --------
            <tr>
              <td align="right"><label for="senderName">Your name: [...]
              <td width="60%"><input type="text" id="senderName" name="s
enderName" size="45" value="" class="UITextBox" /><font style="font-size
:9px">(required)</font></td>
            </tr>

-------- vs --------
            <tr>
              <td align="right"><label for="senderName">Your name: [...]
              <td width="60%"><input type="text" id="senderName" name="s
enderName" size="45" value="yy" class="UITextBox" /><font style="font-si
ze:9px">(required)</font></td>
            </tr>
------------------------



David Harris  |  ICT Manager (Information Assurance)
M.Sc. B.A.(Hons)
http://informationsecurity.tees.ac.uk<http://informationsecurity.tees.ac.uk/>
ITACS, Teesside University
* Internal Ext. 8979
* External 01642 738979
[cid:C0EBCEFE-19D9-4E1F-A21E-386D0F45E58D]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20170123/a76f9a69/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 7187 bytes
Desc: image001.jpg
Url : http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20170123/a76f9a69/attachment-0001.jpg 


More information about the ZendTo mailing list