<html><body bgcolor="#FFFFFF">
<p><font size="2" face="sans-serif">Hi Jules,</font><br>
<br>
<font size="2" face="sans-serif">will there be a patch or new release?</font><br>
<br>
<font size="2" face="sans-serif">Mit freundlichen Grüßen / Best regards<br>
<br>
Patrick Gaikowski<br>
Tel: +49 7132 94 3568<br>
Fax: +49 7132 94 73568<br>
E-Mail: patrick.gaikowski@kaufland.com<br>
KI 967800 IT International / Infrastruktur<br>
Office:<br>
Lindichstrasse 11<br>
D-74189 Weinsberg</font><br>
<br>
<br>
<br>
<font size="2" face="sans-serif"><a href="http://www.kaufland.de">http://www.kaufland.de</a> </font><br>
<font size="2" face="sans-serif">Wir sind die Nr. 1:</font><br>
<font size="2" face="sans-serif">Kaufland ist "Bester Lebensmittelmarkt 2011"!</font><br>
<br>
<font size="2" face="sans-serif">Kaufland Informationssysteme GmbH & Co. KG</font><br>
<font size="2" face="sans-serif">Postfach 12 53 - 74149 Neckarsulm<br>
Kommanditgesellschaft<br>
Sitz: Neckarsulm<br>
Registergericht: Amtsgericht Stuttgart HRA 104163</font><br>
<ul style="padding-left: 18pt"><img width="16" height="16" src="cid:1__=4EBBF20ADFD1B47A8f9e8a93@de.int.kaufland" border="0" alt="Inactive hide details for Jules <Jules@zend.to>"><font size="2" face="sans-serif">Jules <Jules@zend.to></font></ul>
<br>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr valign="top"><td width="40%">
<ul style="padding-left: 9pt"><font size="1" face="sans-serif"><b>Jules <Jules@zend.to></b></font><font size="1" face="sans-serif"> </font><br>
<font size="1" face="sans-serif">Gesendet von: zendto-bounces@zend.to</font>
<p><font size="1" face="sans-serif">23.05.2011 10:52</font>
<table border="1">
<tr valign="top"><td width="168" bgcolor="#FFFFFF">
<ul style="padding-left: 0pt"><font size="1" face="sans-serif">Bitte antworten an<br>
ZendTo Users <zendto@zend.to></font></ul>
</td></tr>
</table>
</ul>
</td><td width="60%">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr valign="top"><td width="1%" valign="middle"><img width="66" height="1" src="cid:2__=4EBBF20ADFD1B47A8f9e8a93@de.int.kaufland" border="0" alt=""><br>
</td><td width="100%"><img width="1" height="1" src="cid:2__=4EBBF20ADFD1B47A8f9e8a93@de.int.kaufland" border="0" alt=""><br>
<font size="1" face="sans-serif">ZendTo Users <zendto@zend.to></font></td></tr>
<tr valign="top"><td width="1%" valign="middle"><img width="66" height="1" src="cid:2__=4EBBF20ADFD1B47A8f9e8a93@de.int.kaufland" border="0" alt=""><br>
</td><td width="100%"><img width="1" height="1" src="cid:2__=4EBBF20ADFD1B47A8f9e8a93@de.int.kaufland" border="0" alt=""><br>
</td></tr>
<tr valign="top"><td width="1%" valign="middle"><img width="66" height="1" src="cid:2__=4EBBF20ADFD1B47A8f9e8a93@de.int.kaufland" border="0" alt=""><br>
<div align="right"><font size="1" face="sans-serif">Thema </font></div></td><td width="100%"><img width="1" height="1" src="cid:2__=4EBBF20ADFD1B47A8f9e8a93@de.int.kaufland" border="0" alt=""><br>
<font size="1" face="sans-serif">[ZendTo] Re: Antwort: Re: Zendto is vulnerable for SQL-Injection</font></td></tr>
</table>
<table border="0" cellspacing="0" cellpadding="0">
<tr valign="top"><td width="58"><img width="1" height="1" src="cid:2__=4EBBF20ADFD1B47A8f9e8a93@de.int.kaufland" border="0" alt=""></td><td width="336"><img width="1" height="1" src="cid:2__=4EBBF20ADFD1B47A8f9e8a93@de.int.kaufland" border="0" alt=""></td></tr>
</table>
</td></tr>
</table>
<br>
<font size="3" face="serif"><br>
<br>
On 22/05/2011 15:09, </font><a href="mailto:patrick.gaikowski@kaufland.com"><font size="3" color="#0000FF" face="serif"><u>patrick.gaikowski@kaufland.com</u></font></a><font size="3" face="serif"> wrote: </font>
<ul style="padding-left: 36pt"><br>
<font size="2" face="sans-serif">Hi,</font><font size="3" face="serif"><br>
</font><font size="2" face="sans-serif"><br>
we engaged a company for penetration testing of web applications and thats why i tried to be prepared....</font><font size="3" face="serif"><br>
</font><font size="2" face="sans-serif"><br>
I used the tool "burp suite" which is a http/https proxy for intercepting web requests / responses. </font>
<ul type="disc" style="padding-left: 36pt">
<li><font size="2" face="sans-serif">i made a dropoff request without username / password --> only ReCaptcha</font></ul>
</ul>
<font size="3" face="serif">Definitely a bug, now fixed. Well done!</font>
<ul type="disc" style="padding-left: 72pt">
<li>
<li><font size="2" face="sans-serif">i intercepted the POST to dropoff.php</font></ul>
<ul style="padding-left: 36pt"><font size="3" face="serif"><i><br>
(See attached file: dropoff)</i></font></ul>
<font size="3" face="serif">Great, XML, my favourite. :-)</font>
<ul type="disc" style="padding-left: 72pt">
<li><font size="2" face="sans-serif">in the tool you can send the POST to the repeating module and modify the POST</font><font size="3" face="serif"> </font>
<li><font size="2" face="sans-serif">i was able the send the upload a various times --> the limit will be the free space on the host system --></font><font size="2" color="#FF0000" face="sans-serif"> can be used for blow up the system and perhaps crash the system</font></ul>
<font size="3" face="serif">If you don't complete the upload, then you will be able to do that. Once the upload has finished, the auth code should be removed (and now is! :-) (unless you're a logged in user, at which point we can hunt you down anyway).<br>
I'm not particularly worried about attacks by logged in users. They can just repeat the entire upload process as many times as they like anyway, uploading either the same files or different files each time.</font>
<ul type="disc" style="padding-left: 72pt">
<li>
<li><font size="2" face="sans-serif">i was able to change for example the email-address of the recipient (only the domain defined in preferences.php) in the POST--> </font><font size="2" color="#FF0000" face="sans-serif">can be used for SPAM if the email domain is not configured correctly</font></ul>
<font size="3" face="serif">Agreed. You can indeed change the email address of the recipient in the upload. But then again you can just make your automated hacking system slightly more clever and do multiple uploads to anyone you like in the the preferences.php configured domain. So I am not worried about that either.</font>
<ul style="padding-left: 36pt"><font size="2" face="sans-serif"><br>
Is it possible to limit the lifetime of the </font><font size="2" color="#FF0000" face="sans-serif">auth-Parameter</font><font size="2" face="sans-serif"> to only one request? </font></ul>
<font size="3" face="serif">Well spotted, yes that is a bug. Fixed. That should take care of the multiple uploads exploits you found above too.<br>
<br>
Many thanks for finding these for me, it is much appreciated!<br>
<br>
Cheers,</font><br>
<tt><font size="3">Jules<br>
<br>
-- <br>
Julian Field MEng CITP CEng<br>
</font></tt><a href="http://www.zend.to/"><tt><font size="3" color="#0000FF"><u>www.Zend.To</u></font></tt></a><tt><font size="3"><br>
<br>
Follow me at twitter.com/JulesFM<br>
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654<br>
<br>
'All programs have a desire to be useful' - Tron, 1982<br>
</font></tt><tt><font size="2">_______________________________________________<br>
ZendTo mailing list<br>
ZendTo@zend.to<br>
</font></tt><tt><font size="2"><a href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a></font></tt><br>
</body></html>