<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
This is easy to fix with a little patch to
/opt/zendto/templates/show_dropoff.tpl which are files you can
happily edit, and your changes will survive upgrades.<br>
<br>
I've attached the patch file. gunzip it and then<br>
cd /opt/zendto/templates<br>
patch < /tmp/show_dropoff.tpl.patch<br>
and you should find the HTML changes to not include the ClaimID and
Passcode unless it is actually needed. I have also removed a whole
chunk of commented-out HTML from the page.<br>
<br>
This change will also be in the next release unless anyone says it
doesn't work! :)<br>
<br>
Jules.<br>
<br>
On 16/06/2011 10:30, <a class="moz-txt-link-abbreviated" href="mailto:patrick.gaikowski@kaufland.com">patrick.gaikowski@kaufland.com</a> wrote:
<blockquote
cite="mid:OF1ACA11AF.3B5B9D9D-ONC12578B1.00338026-C12578B1.00344203@de.int.kaufland"
type="cite">
<p><font face="sans-serif" size="2">Hi,</font><br>
<br>
<font face="sans-serif" size="2">the penetration test in my
company shows big issue according "onDemand" dropoff for non
registered users.</font><br>
</p>
<ul style="padding-left: 18pt;" type="disc">
<li><font face="sans-serif" size="2">foreign user gets
dropoff-auth with valid email-address after Recaptcha</font>
</li>
<li><font face="sans-serif" size="2">user uploads files to
Zendto with a non-existing email-address of my company (for
example --> <a class="moz-txt-link-abbreviated" href="mailto:nonexisting@kaufland.com">nonexisting@kaufland.com</a>)</font>
</li>
<li><font face="sans-serif" size="2">user gets dropoff summary</font></li>
</ul>
<font face="sans-serif" size="2">in the source code of dropoff.php
you can see the </font><font face="sans-serif" size="2"><b>claimid</b></font><font
face="sans-serif" size="2"> and </font><font face="sans-serif"
size="2"><b>claimpasscode </b></font><font face="sans-serif"
size="2">as hidden input fields</font>
<br>
<tt><font size="3"><form name="deleteDropoff" method="post"
action=<a class="moz-txt-link-rfc2396E" href="https://share.kaufland.com/delete.php"><font color="red"><b>MailScanner has detected a possible fraud attempt from "share.kaufland.com" claiming to be</b></font> "https://share.kaufland.com/delete.php"</a>><br>
<input type="hidden" name="claimID"
value="JikPnNT7eDMCr9g7"/><br>
<input type="hidden" name="claimPasscode"
value="YtKuUMXQzcrMkAtd"/></font></tt><br>
<br>
<br>
<font face="sans-serif" size="2">The foreign user could send the </font><font
face="sans-serif" size="2"><b>claimid</b></font><font
face="sans-serif" size="2"> and </font><font face="sans-serif"
size="2"><b>claimpasscode</b></font><font face="sans-serif"
size="2"> to a lot of users, like a filesharing platform!</font><br>
<br>
<font face="sans-serif" size="2">From this point of view its a big
security issue!</font><br>
</blockquote>
<br>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng CITP CEng
<a class="moz-txt-link-abbreviated" href="http://www.Zend.To">www.Zend.To</a>
Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
'All programs have a desire to be useful' - Tron, 1982
</pre>
</body>
</html>