<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<title></title>
</head>
<body text="#000000" bgcolor="#ffffff">
Another thing you might want to know.<br>
<br>
If you send a dropoff to a user, it displays a page containing the
ClaimID and Passcode so you can send it to other users as well if
you wish.<br>
If you consider this to be a security hole, then edit
/opt/zendto/templates/show_dropoff.tpl and delete the
"sendContainer" div.<br>
I don't want to delete from the distribution, because it's quite
useful for people. However, the whole point of moving all the HTML
out into the templates directory is so that you can edit them to fit
your requirements and site design. Any changes you make to them will
be kept during yum and apt upgrades. They are intended for you to
make changes beyond what is set in zendto.conf.<br>
<br>
So feel free to remove this section from the template file if you
find this is being exploited on your site. It isn't on mine.<br>
<br>
Jules.<br>
<br>
On 16/06/2011 10:30, <a class="moz-txt-link-abbreviated" href="mailto:patrick.gaikowski@kaufland.com">patrick.gaikowski@kaufland.com</a> wrote:
<blockquote
cite="mid:OF1ACA11AF.3B5B9D9D-ONC12578B1.00338026-C12578B1.00344203@de.int.kaufland"
type="cite">
<p><font face="sans-serif" size="2">Hi,</font><br>
<br>
<font face="sans-serif" size="2">the penetration test in my
company shows big issue according "onDemand" dropoff for non
registered users.</font><br>
</p>
<ul style="padding-left: 18pt;" type="disc">
<li><font face="sans-serif" size="2">foreign user gets
dropoff-auth with valid email-address after Recaptcha</font>
</li>
<li><font face="sans-serif" size="2">user uploads files to
Zendto with a non-existing email-address of my company (for
example --> <a class="moz-txt-link-abbreviated" href="mailto:nonexisting@kaufland.com">nonexisting@kaufland.com</a>)</font>
</li>
<li><font face="sans-serif" size="2">user gets dropoff summary</font></li>
</ul>
<br>
<img src="cid:part1.01090408.00060200@Zend.To" height="556"
width="1020"><br>
<ul style="padding-left: 18pt;" type="disc">
<li><font face="sans-serif" size="2">in the source code of
dropoff.php you can see the </font><font face="sans-serif"
size="2"><b>claimid</b></font><font face="sans-serif"
size="2"> and </font><font face="sans-serif" size="2"><b>claimpasscode
</b></font><font face="sans-serif" size="2">as hidden input
fields</font></li>
</ul>
<br>
<tt><font size="3"><form name="deleteDropoff" method="post"
action=<a class="moz-txt-link-rfc2396E" href="https://share.kaufland.com/delete.php"><font color="red"><b>MailScanner has detected a possible fraud attempt from "share.kaufland.com" claiming to be</b></font> "https://share.kaufland.com/delete.php"</a>><br>
<input type="hidden" name="claimID"
value="JikPnNT7eDMCr9g7"/><br>
<input type="hidden" name="claimPasscode"
value="YtKuUMXQzcrMkAtd"/></font></tt><br>
<br>
<br>
<font face="sans-serif" size="2">The foreign user could send the </font><font
face="sans-serif" size="2"><b>claimid</b></font><font
face="sans-serif" size="2"> and </font><font face="sans-serif"
size="2"><b>claimpasscode</b></font><font face="sans-serif"
size="2"> to a lot of users, like a filesharing platform!</font><br>
<br>
<font face="sans-serif" size="2">From this point of view its a big
security issue!</font><br>
<br>
<br>
<font face="sans-serif" size="2">Mit freundlichen Grüßen / Best
regards<br>
<br>
Patrick Gaikowski<br>
Tel: +49 7132 94 3568<br>
Fax: +49 7132 94 73568<br>
E-Mail: <a class="moz-txt-link-abbreviated" href="mailto:patrick.gaikowski@kaufland.com">patrick.gaikowski@kaufland.com</a><br>
KI 967800 IT International / Infrastruktur<br>
Office:<br>
Lindichstrasse 11<br>
D-74189 Weinsberg</font><br>
<br>
<br>
<font face="sans-serif" size="2"><a moz-do-not-send="true"
href="http://www.kaufland.de">http://www.kaufland.de</a> </font><br>
<font face="sans-serif" size="2"><a moz-do-not-send="true"
href="http://www.spannende-it.de">http://www.spannende-it.de</a></font><br>
<font face="sans-serif" size="2">Wir sind die Nr. 1:</font><br>
<font face="sans-serif" size="2">Kaufland ist "Bester
Lebensmittelmarkt 2011"!</font><br>
<br>
<font face="sans-serif" size="2">Kaufland Informationssysteme GmbH
& Co. KG</font><br>
<font face="sans-serif" size="2">Postfach 12 53 - 74149 Neckarsulm<br>
Kommanditgesellschaft<br>
Sitz: Neckarsulm<br>
Registergericht: Amtsgericht Stuttgart HRA 104163</font><br>
<br>
<br>
<br>
<br>
<br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
ZendTo mailing list
<a class="moz-txt-link-abbreviated" href="mailto:ZendTo@zend.to">ZendTo@zend.to</a>
<a class="moz-txt-link-freetext" href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a></pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng CITP CEng
<a class="moz-txt-link-abbreviated" href="http://www.Zend.To">www.Zend.To</a>
Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
'Teach a man to reason, and he will think for a lifetime.' - Phil Plait
'All programs have a desire to be useful' - Tron, 1982
'That is the land of lost content,
I see it shining plain,
The happy highways where I went,
And cannot come again.' - A.E. Houseman
</pre>
</body>
</html>