Jules,<br><br>
how can we get these fixes? is there a source repository somewhere?<br><br>Cheers,<br>Ken<br><br><br><br><div class="gmail_quote">On Mon, May 23, 2011 at 2:52 AM, Jules <span dir="ltr"><<a href="mailto:Jules@zend.to">Jules@zend.to</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div bgcolor="#ffffff" text="#000000"><div class="im">
<br>
<br>
On 22/05/2011 15:09, <a href="mailto:patrick.gaikowski@kaufland.com" target="_blank">patrick.gaikowski@kaufland.com</a> wrote:
<blockquote type="cite">
<p><font size="2" face="sans-serif">Hi,</font><br>
<br>
<font size="2" face="sans-serif">we engaged a company for
penetration testing of web applications and thats why i tried
to be prepared....</font><br>
<br>
<font size="2" face="sans-serif">I used the tool "burp suite"
which is a http/https proxy for intercepting web requests /
responses. </font><br>
</p>
<ul style="padding-left:18pt" type="disc">
<li><font size="2" face="sans-serif">i made a dropoff request
without username / password --> only ReCaptcha</font></li>
</ul>
</blockquote></div>
Definitely a bug, now fixed. Well done!<div class="im"><br>
<blockquote type="cite">
<ul style="padding-left:18pt" type="disc">
<li>
<br>
</li>
<li><font size="2" face="sans-serif">i intercepted the POST to
dropoff.php</font></li>
</ul>
<br>
<i>(See attached file: dropoff)</i><br>
</blockquote></div>
Great, XML, my favourite. :-)<div class="im"><br>
<blockquote type="cite">
<ul style="padding-left:18pt" type="disc">
<li><font size="2" face="sans-serif">in the tool you can send
the POST to the repeating module and modify the POST</font>
</li>
<li><font size="2" face="sans-serif">i was able the send the
upload a various times --> the limit will be the free
space on the host system --></font><font size="2" color="#ff0000" face="sans-serif"> can be used for blow up the
system and perhaps crash the system</font></li>
</ul>
</blockquote></div>
If you don't complete the upload, then you will be able to do that.
Once the upload has finished, the auth code should be removed (and
now is! :-) (unless you're a logged in user, at which point we can
hunt you down anyway).<br>
I'm not particularly worried about attacks by logged in users. They
can just repeat the entire upload process as many times as they like
anyway, uploading either the same files or different files each
time.<div class="im"><br>
<blockquote type="cite">
<ul style="padding-left:18pt" type="disc">
<li>
<br>
</li>
<li><font size="2" face="sans-serif">i was able to change for
example the email-address of the recipient (only the domain
defined in preferences.php) in the POST--> </font><font size="2" color="#ff0000" face="sans-serif">can be used for
SPAM if the email domain is not configured correctly</font></li>
</ul>
</blockquote></div>
Agreed. You can indeed change the email address of the recipient in
the upload. But then again you can just make your automated hacking
system slightly more clever and do multiple uploads to anyone you
like in the the preferences.php configured domain. So I am not
worried about that either.<div class="im"><br>
<blockquote type="cite">
<br>
<font size="2" face="sans-serif">Is it possible to limit the
lifetime of the </font><font size="2" color="#ff0000" face="sans-serif">auth-Parameter</font><font size="2" face="sans-serif">
to only one request? </font><br>
</blockquote></div>
Well spotted, yes that is a bug. Fixed. That should take care of the
multiple uploads exploits you found above too.<br>
<br>
Many thanks for finding these for me, it is much appreciated!<br>
<br>
Cheers,<br>
<pre cols="72">Jules
--
Julian Field MEng CITP CEng
<div class="im"><a href="http://www.Zend.To" target="_blank">www.Zend.To</a>
Follow me at <a href="http://twitter.com/JulesFM" target="_blank">twitter.com/JulesFM</a>
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
'All programs have a desire to be useful' - Tron, 1982
</div></pre>
</div>
<br>_______________________________________________<br>
ZendTo mailing list<br>
<a href="mailto:ZendTo@zend.to">ZendTo@zend.to</a><br>
<a href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto" target="_blank">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a><br></blockquote></div><br>