<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Thanks for that. A few comments in-line below.<br>
<br>
On 22/08/2011 08:43, <a class="moz-txt-link-abbreviated" href="mailto:patrick.gaikowski@kaufland.com">patrick.gaikowski@kaufland.com</a> wrote:
<blockquote
cite="mid:OFC023AD25.9C825BA2-ONC12578F4.002696CD-C12578F4.002A661B@de.int.kaufland"
type="cite">
<p><font face="sans-serif" size="2">Hi,</font><br>
<br>
<font face="sans-serif" size="2">we ordered an external company
specialised for Penetration testing to take a look to zendto.
The found some weaknesses which should be corrected...</font><br>
<br>
<font face="sans-serif" size="2"><b>1.) Session-Concept</b></font><br>
<br>
<font face="sans-serif" size="2">The user is identified by a
Cookie-Value. The Cookie Value consists of username,
IP-address, timestamp, Nuonce, browser, Cookie-name and
serversite secret. All these values are combined and hashed
with MD5. </font><br>
<font face="sans-serif" size="2">This hash is used together with
username, IP-address, timestamp, Nuonce to identify the user.</font><br>
<br>
<font face="sans-serif" size="2">The user sends the
Cookie-Values to the server and the server checks if the hash
is correct and the timestamp is not too old. </font><br>
<br>
<font face="sans-serif" size="2"><b>Suggestion:</b></font><br>
<br>
<font face="sans-serif" size="2">The external company mentions
that there is no additional measures to check if the user is
really connecting from that IP-address.</font></p>
</blockquote>
Wrong. See line 999 of NSSDropbox.php.<br>
<blockquote
cite="mid:OFC023AD25.9C825BA2-ONC12578F4.002696CD-C12578F4.002A661B@de.int.kaufland"
type="cite">
<p><font face="sans-serif" size="2"> The security is only based on
the serversite secret.</font></p>
</blockquote>
Not true, because of my comment above. You have to be coming from
the right IP address as well, or else line 999 will chuck you out.<br>
<blockquote
cite="mid:OFC023AD25.9C825BA2-ONC12578F4.002696CD-C12578F4.002A661B@de.int.kaufland"
type="cite">
<p><font face="sans-serif" size="2"> With brute force it should be
possible to get the MD5-Hash and imitate every user.</font><br>
<font face="sans-serif" size="2">The suggestion is to extend the
serversite secret to 20 characters</font></p>
</blockquote>
It's already 32 characters.<br>
<blockquote
cite="mid:OFC023AD25.9C825BA2-ONC12578F4.002696CD-C12578F4.002A661B@de.int.kaufland"
type="cite">
<p><font face="sans-serif" size="2"> and change it continously.</font></p>
</blockquote>
That makes it very hard to verify users, doesn't it? What happens if
someone is logged in during a change of the serversite secret? All
of a sudden their cookies would become invalid. Things like ssh can
change the secret because there is out-of-band communication between
the server and the client. I do not have that luxury in a web
browser.<br>
<blockquote
cite="mid:OFC023AD25.9C825BA2-ONC12578F4.002696CD-C12578F4.002A661B@de.int.kaufland"
type="cite">
<p><font face="sans-serif" size="2"> The status of a Session
should be verified on serversite.</font><br>
<br>
<font face="sans-serif" size="2"><b>2.) Cookie</b></font><br>
<br>
<font face="sans-serif" size="2">The cookie "zendto-session" is
not marked with (php) attributes like "secured"</font></p>
</blockquote>
Cannot do that as ZendTo may well not be run over https, that's up
to the site administrator. Particularly for trial purposes, it may
well be run over http.<br>
<blockquote
cite="mid:OFC023AD25.9C825BA2-ONC12578F4.002696CD-C12578F4.002A661B@de.int.kaufland"
type="cite">
<p><font face="sans-serif" size="2"> and "HttpOnly".</font><br>
</p>
</blockquote>
Agreed. Done.<br>
<blockquote
cite="mid:OFC023AD25.9C825BA2-ONC12578F4.002696CD-C12578F4.002A661B@de.int.kaufland"
type="cite">
<p>
<br>
<font face="sans-serif" size="2"><b>Suggestion:</b></font><br>
<br>
<font face="sans-serif" size="2">All cookies should be marked
with "Secure" and "HttpOnly" to complicate the sniffing of
these values.</font><br>
</p>
</blockquote>
See above.<br>
<blockquote
cite="mid:OFC023AD25.9C825BA2-ONC12578F4.002696CD-C12578F4.002A661B@de.int.kaufland"
type="cite">
<p>
<br>
<font face="sans-serif" size="2"><b>3.) Reflected
Cross-Site-Scripting</b></font><br>
<br>
<font face="sans-serif" size="2">The Vulnerability was found in
the following URL: </font><br>
<br>
<font face="sans-serif" size="2"><a class="moz-txt-link-freetext" href="https://">https://</a><IP>/pickup.php?claimID=D9tEmVyPzfpaWW3cd541b"><img
src="noex" onerror="alert('SySS
XSS!')"&claimPasscode=TD9ab87Sas2RFVoW&pickup=Pick-up+the+File(s)</font><br>
</p>
</blockquote>
Well spotted. I missed one. Fixed.<br>
<br>
Many thanks for that. The fixes I've mentioned above will be in the
next release.<br>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng CITP CEng
<a class="moz-txt-link-abbreviated" href="http://www.Zend.To">www.Zend.To</a>
Follow me at twitter.com/JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
'It's okay to live without all the answers' - Charlie Eppes, 2011
'All programs have a desire to be useful' - Tron, 1982
'That is the land of lost content,
I see it shining plain,
The happy highways where I went,
And cannot come again.' - A.E. Houseman
</pre>
</body>
</html>