<html><body bgcolor="#FFFFFF">
<p><font size="2" face="sans-serif"><a href="http://www.kaufland.de">http://www.kaufland.de</a> </font><br>
<font size="2" face="sans-serif"><a href="http://www.spannende-it.de">http://www.spannende-it.de</a></font><br>
<font size="2" face="sans-serif">Wir sind die Nr. 1:</font><br>
<font size="2" face="sans-serif">Kaufland ist "Bester Lebensmittelmarkt 2011"!</font><br>
<br>
<font size="2" face="sans-serif">Kaufland Informationssysteme GmbH & Co. KG</font><br>
<font size="2" face="sans-serif">Postfach 12 53 - 74149 Neckarsulm<br>
Kommanditgesellschaft<br>
Sitz: Neckarsulm<br>
Registergericht: Amtsgericht Stuttgart HRA 104163</font><br>
<br>
<br>
<br>
<br>
<br>
<ul style="padding-left: 18pt"><img width="16" height="16" src="cid:1__=4EBBF222DFC0A44B8f9e8a93@de.int.kaufland" border="0" alt="Inactive hide details for patrick.gaikowski@kaufland.com"><font size="2" face="sans-serif">patrick.gaikowski@kaufland.com</font></ul>
<br>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr valign="top"><td width="40%">
<ul style="padding-left: 9pt"><font size="1" face="sans-serif"><b>patrick.gaikowski@kaufland.com</b></font><font size="1" face="sans-serif"> </font><br>
<font size="1" face="sans-serif">Gesendet von: zendto-bounces@zend.to</font>
<p><font size="1" face="sans-serif">16.06.2011 15:00</font>
<table border="1">
<tr valign="top"><td width="168" bgcolor="#FFFFFF">
<ul style="padding-left: 0pt"><font size="1" face="sans-serif">Bitte antworten an<br>
ZendTo Users <zendto@zend.to></font></ul>
</td></tr>
</table>
</ul>
</td><td width="60%">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr valign="top"><td width="1%" valign="middle"><img width="66" height="1" src="cid:2__=4EBBF222DFC0A44B8f9e8a93@de.int.kaufland" border="0" alt=""><br>
</td><td width="100%"><img width="1" height="1" src="cid:2__=4EBBF222DFC0A44B8f9e8a93@de.int.kaufland" border="0" alt=""><br>
<font size="1" face="sans-serif">ZendTo Users <zendto@zend.to></font></td></tr>
<tr valign="top"><td width="1%" valign="middle"><img width="66" height="1" src="cid:2__=4EBBF222DFC0A44B8f9e8a93@de.int.kaufland" border="0" alt=""><br>
</td><td width="100%"><img width="1" height="1" src="cid:2__=4EBBF222DFC0A44B8f9e8a93@de.int.kaufland" border="0" alt=""><br>
</td></tr>
<tr valign="top"><td width="1%" valign="middle"><img width="66" height="1" src="cid:2__=4EBBF222DFC0A44B8f9e8a93@de.int.kaufland" border="0" alt=""><br>
<div align="right"><font size="1" face="sans-serif">Thema </font></div></td><td width="100%"><img width="1" height="1" src="cid:2__=4EBBF222DFC0A44B8f9e8a93@de.int.kaufland" border="0" alt=""><br>
<font size="1" face="sans-serif">[ZendTo] Antwort: {Disarmed} Re: Penetration Test show big security issue</font></td></tr>
</table>
<table border="0" cellspacing="0" cellpadding="0">
<tr valign="top"><td width="58"><img width="1" height="1" src="cid:2__=4EBBF222DFC0A44B8f9e8a93@de.int.kaufland" border="0" alt=""></td><td width="336"><img width="1" height="1" src="cid:2__=4EBBF222DFC0A44B8f9e8a93@de.int.kaufland" border="0" alt=""></td></tr>
</table>
</td></tr>
</table>
<br>
<font size="2" face="sans-serif">Hi Jules,</font><font size="3" face="serif"><br>
</font><font size="2" face="sans-serif"><br>
it seems to work....</font><font size="3" face="serif"><br>
</font><font size="2" face="sans-serif"><br>
Wow we avoided a red point from penetration testing...</font><font size="3" face="serif"><br>
</font><font size="2" face="sans-serif"><br>
I'll get a report and we can try to fix some other issues. They found one more possible XSS, but i will get information.</font><font size="3" face="serif"><br>
</font><font size="2" face="sans-serif"><br>
Mit freundlichen Grüßen / Best regards<br>
<br>
Patrick Gaikowski<br>
Tel: +49 7132 94 3568<br>
Fax: +49 7132 94 73568<br>
E-Mail: patrick.gaikowski@kaufland.com<br>
KI 967800 IT International / Infrastruktur<br>
Office:<br>
Lindichstrasse 11<br>
D-74189 Weinsberg</font><font size="3" face="serif"><br>
<br>
<br>
</font><font size="2" color="#0000FF" face="sans-serif"><u><br>
</u></font><a href="http://www.kaufland.de/"><font size="2" color="#0000FF" face="sans-serif"><u>http://www.kaufland.de</u></font></a><font size="2" face="sans-serif"> </font><font size="2" color="#0000FF" face="sans-serif"><u><br>
</u></font><a href="http://www.spannende-it.de/"><font size="2" color="#0000FF" face="sans-serif"><u>http://www.spannende-it.de</u></font></a><font size="2" face="sans-serif"><br>
Wir sind die Nr. 1:<br>
Kaufland ist "Bester Lebensmittelmarkt 2011"!</font><font size="3" face="serif"><br>
</font><font size="2" face="sans-serif"><br>
Kaufland Informationssysteme GmbH & Co. KG<br>
Postfach 12 53 - 74149 Neckarsulm<br>
Kommanditgesellschaft<br>
Sitz: Neckarsulm<br>
Registergericht: Amtsgericht Stuttgart HRA 104163</font><font size="3" face="serif"><br>
<br>
<br>
<br>
<br>
</font>
<ul style="padding-left: 36pt"><img src="cid:1__=4EBBF222DFC0A44B8f9e8a93@de.int.kaufland" width="16" height="16" alt="Inactive hide details for Jules <Jules@zend.to>"><font size="2" face="sans-serif">Jules <Jules@zend.to></font></ul>
<br>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr valign="top"><td width="39%">
<ul style="padding-left: 36pt"><font size="1" face="sans-serif"><b>Jules <Jules@zend.to></b></font><font size="1" face="sans-serif"> <br>
Gesendet von: zendto-bounces@zend.to</font><font size="3" face="serif"> </font>
<p><font size="1" face="sans-serif">16.06.2011 12:52</font><font size="3" face="serif"> </font></ul>
<table width="100%" border="1">
<tr valign="top"><td width="100%" bgcolor="#FFFFFF">
<ul style="padding-left: 40pt"><font size="1" face="sans-serif">Bitte antworten an<br>
ZendTo Users <zendto@zend.to></font></ul>
</td></tr>
</table>
</td><td width="61%">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr valign="top"><td width="17%" valign="middle"><img src="cid:2__=4EBBF222DFC0A44B8f9e8a93@de.int.kaufland" width="66" height="1"></td><td width="83%"><img src="cid:2__=4EBBF222DFC0A44B8f9e8a93@de.int.kaufland" width="1" height="1"><font size="1" face="sans-serif"><br>
ZendTo Users <zendto@zend.to></font></td></tr>
<tr valign="top"><td width="17%" valign="middle"><img src="cid:2__=4EBBF222DFC0A44B8f9e8a93@de.int.kaufland" width="66" height="1"></td><td width="83%"><img src="cid:2__=4EBBF222DFC0A44B8f9e8a93@de.int.kaufland" width="1" height="1"></td></tr>
<tr valign="top"><td width="17%" valign="middle"><img src="cid:2__=4EBBF222DFC0A44B8f9e8a93@de.int.kaufland" width="66" height="1"><div align="right"><font size="1" face="sans-serif">Thema </font></div></td><td width="83%"><img src="cid:2__=4EBBF222DFC0A44B8f9e8a93@de.int.kaufland" width="1" height="1"><font size="1" face="sans-serif"><br>
[ZendTo] {Disarmed} Re: Penetration Test show big security issue</font></td></tr>
</table>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr valign="top"><td width="15%"><img src="cid:2__=4EBBF222DFC0A44B8f9e8a93@de.int.kaufland" width="1" height="1"></td><td width="85%"><img src="cid:2__=4EBBF222DFC0A44B8f9e8a93@de.int.kaufland" width="1" height="1"></td></tr>
</table>
</td></tr>
</table>
<font size="3" face="serif"><br>
This is easy to fix with a little patch to /opt/zendto/templates/show_dropoff.tpl which are files you can happily edit, and your changes will survive upgrades.<br>
<br>
I've attached the patch file. gunzip it and then<br>
cd /opt/zendto/templates<br>
patch < /tmp/show_dropoff.tpl.patch<br>
and you should find the HTML changes to not include the ClaimID and Passcode unless it is actually needed. I have also removed a whole chunk of commented-out HTML from the page.<br>
<br>
This change will also be in the next release unless anyone says it doesn't work! :)<br>
<br>
Jules.<br>
<br>
On 16/06/2011 10:30, </font><a href="mailto:patrick.gaikowski@kaufland.com"><font size="3" color="#0000FF" face="serif"><u>patrick.gaikowski@kaufland.com</u></font></a><font size="3" face="serif"> wrote: </font>
<ul style="padding-left: 36pt"><font size="2" face="sans-serif"><br>
Hi,<br>
<br>
the penetration test in my company shows big issue according "onDemand" dropoff for non registered users.</font><font size="3" face="serif"> </font>
<ul type="disc" style="padding-left: 36pt">
<li><font size="2" face="sans-serif">foreign user gets dropoff-auth with valid email-address after Recaptcha</font><font size="3" face="serif"> </font>
<li><font size="2" face="sans-serif">user uploads files to Zendto with a non-existing email-address of my company (for example --> </font><a href="mailto:nonexisting@kaufland.com"><font size="2" color="#0000FF" face="sans-serif"><u>nonexisting@kaufland.com</u></font></a><font size="2" face="sans-serif">)</font><font size="3" face="serif"> </font>
<li><font size="2" face="sans-serif">user gets dropoff summary</font></ul>
<font size="2" face="sans-serif">in the source code of dropoff.php you can see the </font><font size="2" face="sans-serif"><b>claimid</b></font><font size="2" face="sans-serif"> and </font><font size="2" face="sans-serif"><b>claimpasscode </b></font><font size="2" face="sans-serif">as hidden input fields</font><font size="3" face="serif"> </font><tt><font size="3"><br>
<form name="deleteDropoff" method="post" action=</font></tt><a href="https://share.kaufland.com/delete.php"><tt><font size="3" color="#FF0000"><b><u>MailScanner has detected a possible fraud attempt from "share.kaufland.com" claiming to be</u></b></font></tt><tt><font size="3" color="#0000FF"><u> "https://share.kaufland.com/delete.php"</u></font></tt></a><tt><font size="3">><br>
<input type="hidden" name="claimID" value="JikPnNT7eDMCr9g7"/><br>
<input type="hidden" name="claimPasscode" value="YtKuUMXQzcrMkAtd"/></font></tt><font size="3" face="serif"><br>
</font><font size="2" face="sans-serif"><br>
<br>
The foreign user could send the </font><font size="2" face="sans-serif"><b>claimid</b></font><font size="2" face="sans-serif"> and </font><font size="2" face="sans-serif"><b>claimpasscode</b></font><font size="2" face="sans-serif"> to a lot of users, like a filesharing platform!<br>
<br>
>From this point of view its a big security issue!</font></ul>
<tt><font size="3"><br>
Jules<br>
<br>
-- <br>
Julian Field MEng CITP CEng</font></tt><font size="3" color="#0000FF" face="serif"><u><br>
</u></font><a href="http://www.zend.to/"><tt><font size="3" color="#0000FF"><u>www.Zend.To</u></font></tt></a><tt><font size="3"><br>
<br>
Follow me at twitter.com/JulesFM<br>
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654<br>
<br>
'All programs have a desire to be useful' - Tron, 1982<br>
[Anhang "show_dropoff.tpl.patch.gz" gelöscht von Patrick Gaikowski/IS/KI/KAUFLAND] </font></tt><tt><font size="2">_______________________________________________<br>
ZendTo mailing list<br>
ZendTo@zend.to</font></tt><tt><font size="2" color="#0000FF"><u><br>
</u></font></tt><a href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto"><tt><font size="2" color="#0000FF"><u>http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</u></font></tt></a><tt><font size="2">_______________________________________________<br>
ZendTo mailing list<br>
ZendTo@zend.to<br>
</font></tt><tt><font size="2"><a href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a></font></tt><br>
</body></html>