Thank you, have a good evening!<br><br>-Ken<br><br clear="all">Ken Buska<br>Director of Technical Operations<br>Computer Lab Solutions<br>255 B Street #207<br>Idaho Falls, ID, 83402<br>tel: (877) 299-6241 x500<br>fax: (877) 279-2486<br>
Intl tel: +1 (801) 447-2778 x500<br>Intl fax: +1 (801) 823-2210<br>email: <a href="mailto:support@computerlabsolutions.com" target="_blank">support@computerlabsolutions.com</a><br>helpdesk: <a href="http://helpdesk.computerlabsolutions.com" target="_blank">http://helpdesk.computerlabsolutions.com</a><br>
<br><br><div class="gmail_quote">On Mon, May 23, 2011 at 9:50 AM, Jules <span dir="ltr"><<a href="mailto:Jules@zend.to">Jules@zend.to</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div bgcolor="#ffffff" text="#000000">
You will get them when I release them, which will be in the next day
or two.<br><font color="#888888">
<br>
Jules.</font><div><div></div><div class="h5"><br>
<br>
On 23/05/2011 16:37, Ken Buska wrote:
<blockquote type="cite">Jules,<br>
<br>
how can we get these fixes? is there a source repository
somewhere?<br>
<br>
Cheers,<br>
Ken<br>
<br>
<br>
<br>
<div class="gmail_quote">On Mon, May 23, 2011 at 2:52 AM, Jules <span dir="ltr"><<a href="mailto:Jules@zend.to" target="_blank">Jules@zend.to</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">
<div bgcolor="#ffffff" text="#000000">
<div> <br>
<br>
On 22/05/2011 15:09, <a href="mailto:patrick.gaikowski@kaufland.com" target="_blank">patrick.gaikowski@kaufland.com</a>
wrote:
<blockquote type="cite">
<p><font size="2" face="sans-serif">Hi,</font><br>
<br>
<font size="2" face="sans-serif">we engaged a company
for penetration testing of web applications and
thats why i tried to be prepared....</font><br>
<br>
<font size="2" face="sans-serif">I used the tool "burp
suite" which is a http/https proxy for intercepting
web requests / responses. </font><br>
</p>
<ul style="padding-left:18pt" type="disc">
<li><font size="2" face="sans-serif">i made a dropoff
request without username / password --> only
ReCaptcha</font></li>
</ul>
</blockquote>
</div>
Definitely a bug, now fixed. Well done!
<div><br>
<blockquote type="cite">
<ul style="padding-left:18pt" type="disc">
<li> <br>
</li>
<li><font size="2" face="sans-serif">i intercepted the
POST to dropoff.php</font></li>
</ul>
<br>
<i>(See attached file: dropoff)</i><br>
</blockquote>
</div>
Great, XML, my favourite. :-)
<div><br>
<blockquote type="cite">
<ul style="padding-left:18pt" type="disc">
<li><font size="2" face="sans-serif">in the tool you
can send the POST to the repeating module and
modify the POST</font> </li>
<li><font size="2" face="sans-serif">i was able the
send the upload a various times --> the limit
will be the free space on the host system --></font><font size="2" color="#ff0000" face="sans-serif"> can be
used for blow up the system and perhaps crash the
system</font></li>
</ul>
</blockquote>
</div>
If you don't complete the upload, then you will be able to
do that. Once the upload has finished, the auth code should
be removed (and now is! :-) (unless you're a logged in user,
at which point we can hunt you down anyway).<br>
I'm not particularly worried about attacks by logged in
users. They can just repeat the entire upload process as
many times as they like anyway, uploading either the same
files or different files each time.
<div><br>
<blockquote type="cite">
<ul style="padding-left:18pt" type="disc">
<li> <br>
</li>
<li><font size="2" face="sans-serif">i was able to
change for example the email-address of the
recipient (only the domain defined in
preferences.php) in the POST--> </font><font size="2" color="#ff0000" face="sans-serif">can be
used for SPAM if the email domain is not
configured correctly</font></li>
</ul>
</blockquote>
</div>
Agreed. You can indeed change the email address of the
recipient in the upload. But then again you can just make
your automated hacking system slightly more clever and do
multiple uploads to anyone you like in the the
preferences.php configured domain. So I am not worried about
that either.
<div><br>
<blockquote type="cite"> <br>
<font size="2" face="sans-serif">Is it possible to limit
the lifetime of the </font><font size="2" color="#ff0000" face="sans-serif">auth-Parameter</font><font size="2" face="sans-serif"> to only one request? </font><br>
</blockquote>
</div>
Well spotted, yes that is a bug. Fixed. That should take
care of the multiple uploads exploits you found above too.<br>
<br>
Many thanks for finding these for me, it is much
appreciated!<br>
<br>
Cheers,<br>
<pre cols="72">Jules
--
Julian Field MEng CITP CEng
<div><a href="http://www.Zend.To" target="_blank">www.Zend.To</a>
Follow me at <a href="http://twitter.com/JulesFM" target="_blank">twitter.com/JulesFM</a>
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
'All programs have a desire to be useful' - Tron, 1982
</div></pre>
</div>
<br>
_______________________________________________<br>
ZendTo mailing list<br>
<a href="mailto:ZendTo@zend.to" target="_blank">ZendTo@zend.to</a><br>
<a href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto" target="_blank">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a><br>
</blockquote>
</div>
<br>
<pre><fieldset></fieldset>
_______________________________________________
ZendTo mailing list
<a href="mailto:ZendTo@zend.to" target="_blank">ZendTo@zend.to</a>
<a href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto" target="_blank">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a></pre>
</blockquote>
<br>
<pre cols="72">Jules
--
Julian Field MEng CITP CEng
<a href="http://www.Zend.To" target="_blank">www.Zend.To</a>
Follow me at <a href="http://twitter.com/JulesFM" target="_blank">twitter.com/JulesFM</a>
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
'All programs have a desire to be useful' - Tron, 1982
</pre>
</div></div></div>
<br>_______________________________________________<br>
ZendTo mailing list<br>
<a href="mailto:ZendTo@zend.to">ZendTo@zend.to</a><br>
<a href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto" target="_blank">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a><br></blockquote></div><br>