<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
You will get them when I release them, which will be in the next day
or two.<br>
<br>
Jules.<br>
<br>
On 23/05/2011 16:37, Ken Buska wrote:
<blockquote
cite="mid:BANLkTikG1_yW6Z+OzfH1Uc3we+5FcOBARw@mail.gmail.com"
type="cite">Jules,<br>
<br>
how can we get these fixes? is there a source repository
somewhere?<br>
<br>
Cheers,<br>
Ken<br>
<br>
<br>
<br>
<div class="gmail_quote">On Mon, May 23, 2011 at 2:52 AM, Jules <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:Jules@zend.to">Jules@zend.to</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">
<div class="im"> <br>
<br>
On 22/05/2011 15:09, <a moz-do-not-send="true"
href="mailto:patrick.gaikowski@kaufland.com"
target="_blank">patrick.gaikowski@kaufland.com</a>
wrote:
<blockquote type="cite">
<p><font face="sans-serif" size="2">Hi,</font><br>
<br>
<font face="sans-serif" size="2">we engaged a company
for penetration testing of web applications and
thats why i tried to be prepared....</font><br>
<br>
<font face="sans-serif" size="2">I used the tool "burp
suite" which is a http/https proxy for intercepting
web requests / responses. </font><br>
</p>
<ul style="padding-left: 18pt;" type="disc">
<li><font face="sans-serif" size="2">i made a dropoff
request without username / password --> only
ReCaptcha</font></li>
</ul>
</blockquote>
</div>
Definitely a bug, now fixed. Well done!
<div class="im"><br>
<blockquote type="cite">
<ul style="padding-left: 18pt;" type="disc">
<li> <br>
</li>
<li><font face="sans-serif" size="2">i intercepted the
POST to dropoff.php</font></li>
</ul>
<br>
<i>(See attached file: dropoff)</i><br>
</blockquote>
</div>
Great, XML, my favourite. :-)
<div class="im"><br>
<blockquote type="cite">
<ul style="padding-left: 18pt;" type="disc">
<li><font face="sans-serif" size="2">in the tool you
can send the POST to the repeating module and
modify the POST</font> </li>
<li><font face="sans-serif" size="2">i was able the
send the upload a various times --> the limit
will be the free space on the host system --></font><font
color="#ff0000" face="sans-serif" size="2"> can be
used for blow up the system and perhaps crash the
system</font></li>
</ul>
</blockquote>
</div>
If you don't complete the upload, then you will be able to
do that. Once the upload has finished, the auth code should
be removed (and now is! :-) (unless you're a logged in user,
at which point we can hunt you down anyway).<br>
I'm not particularly worried about attacks by logged in
users. They can just repeat the entire upload process as
many times as they like anyway, uploading either the same
files or different files each time.
<div class="im"><br>
<blockquote type="cite">
<ul style="padding-left: 18pt;" type="disc">
<li> <br>
</li>
<li><font face="sans-serif" size="2">i was able to
change for example the email-address of the
recipient (only the domain defined in
preferences.php) in the POST--> </font><font
color="#ff0000" face="sans-serif" size="2">can be
used for SPAM if the email domain is not
configured correctly</font></li>
</ul>
</blockquote>
</div>
Agreed. You can indeed change the email address of the
recipient in the upload. But then again you can just make
your automated hacking system slightly more clever and do
multiple uploads to anyone you like in the the
preferences.php configured domain. So I am not worried about
that either.
<div class="im"><br>
<blockquote type="cite"> <br>
<font face="sans-serif" size="2">Is it possible to limit
the lifetime of the </font><font color="#ff0000"
face="sans-serif" size="2">auth-Parameter</font><font
face="sans-serif" size="2"> to only one request? </font><br>
</blockquote>
</div>
Well spotted, yes that is a bug. Fixed. That should take
care of the multiple uploads exploits you found above too.<br>
<br>
Many thanks for finding these for me, it is much
appreciated!<br>
<br>
Cheers,<br>
<pre cols="72">Jules
--
Julian Field MEng CITP CEng
<div class="im"><a moz-do-not-send="true" href="http://www.Zend.To" target="_blank">www.Zend.To</a>
Follow me at <a moz-do-not-send="true" href="http://twitter.com/JulesFM" target="_blank">twitter.com/JulesFM</a>
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
'All programs have a desire to be useful' - Tron, 1982
</div></pre>
</div>
<br>
_______________________________________________<br>
ZendTo mailing list<br>
<a moz-do-not-send="true" href="mailto:ZendTo@zend.to">ZendTo@zend.to</a><br>
<a moz-do-not-send="true"
href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto"
target="_blank">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a><br>
</blockquote>
</div>
<br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
ZendTo mailing list
<a class="moz-txt-link-abbreviated" href="mailto:ZendTo@zend.to">ZendTo@zend.to</a>
<a class="moz-txt-link-freetext" href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a></pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng CITP CEng
<a class="moz-txt-link-abbreviated" href="http://www.Zend.To">www.Zend.To</a>
Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
'All programs have a desire to be useful' - Tron, 1982
</pre>
</body>
</html>