<html><body>
<p><font size="2" face="sans-serif">Hi,</font><br>
<br>
<font size="2" face="sans-serif">we ordered an external company specialised for Penetration testing to take a look to zendto. The found some weaknesses which should be corrected...</font><br>
<br>
<font size="2" face="sans-serif"><b>1.) Session-Concept</b></font><br>
<br>
<font size="2" face="sans-serif">The user is identified by a Cookie-Value. The Cookie Value consists of username, IP-address, timestamp, Nuonce, browser, Cookie-name and serversite secret. All these values are combined and hashed with MD5. </font><br>
<font size="2" face="sans-serif">This hash is used together with username, IP-address, timestamp, Nuonce to identify the user.</font><br>
<br>
<font size="2" face="sans-serif">The user sends the Cookie-Values to the server and the server checks if the hash is correct and the timestamp is not too old. </font><br>
<br>
<font size="2" face="sans-serif"><b>Suggestion:</b></font><br>
<br>
<font size="2" face="sans-serif">The external company mentions that there is no additional measures to check if the user is really connecting from that IP-address. The security is only based on the serversite secret. With brute force it should be possible to get the MD5-Hash and imitate every user.</font><br>
<font size="2" face="sans-serif">The suggestion is to extend the serversite secret to 20 characters and change it continously. The status of a Session should be verified on serversite.</font><br>
<br>
<font size="2" face="sans-serif"><b>2.) Cookie</b></font><br>
<br>
<font size="2" face="sans-serif">The cookie "zendto-session" is not marked with (php) attributes like "secured" and "HttpOnly".</font><br>
<br>
<font size="2" face="sans-serif"><b>Suggestion:</b></font><br>
<br>
<font size="2" face="sans-serif">All cookies should be marked with "Secure" and "HttpOnly" to complicate the sniffing of these values.</font><br>
<br>
<font size="2" face="sans-serif"><b>3.) Reflected Cross-Site-Scripting</b></font><br>
<br>
<font size="2" face="sans-serif">The Vulnerability was found in the following URL: </font><br>
<br>
<font size="2" face="sans-serif">https://<IP>/pickup.php?claimID=D9tEmVyPzfpaWW3cd541b"><img src="noex" onerror="alert('SySS XSS!')"&claimPasscode=TD9ab87Sas2RFVoW&pickup=Pick-up+the+File(s)</font><br>
<br>
<font size="2" face="sans-serif">The following output was generated.</font><br>
<br>
<img src="cid:1__=4EBBF267DFB5105D8f9e8a93@de.int.kaufland" width="1052" height="654"><br>
<br>
<br>
<font size="2" face="sans-serif">On my zendto is a mod_security running and keywords are filtered but </font><font size="2" face="sans-serif"><b>all parameters should be verified and validated on serversite</b></font><font size="2" face="sans-serif">.</font><br>
<br>
<font size="2" face="sans-serif">Mit freundlichen Grüßen / Best regards<br>
<br>
Patrick Gaikowski<br>
Tel: +49 7132 94 3568<br>
Fax: +49 7132 94 73568<br>
E-Mail: patrick.gaikowski@kaufland.com<br>
KI 967850: IT International / IT Governance / Netzwerk Design und IT-Sicherheit<br>
Office:<br>
Lindichstrasse 11<br>
D-74189 Weinsberg</font><br>
<br>
<br>
<font size="2" face="sans-serif"><a href="http://www.kaufland.de">http://www.kaufland.de</a> </font><br>
<font size="2" face="sans-serif"><a href="http://www.spannende-it.de">http://www.spannende-it.de</a></font><br>
<font size="2" face="sans-serif">Wir sind die Nr. 1:</font><br>
<font size="2" face="sans-serif">Kaufland ist "Bester Lebensmittelmarkt 2011"!</font><br>
<br>
<font size="2" face="sans-serif">Kaufland Informationssysteme GmbH & Co. KG</font><br>
<font size="2" face="sans-serif">Postfach 12 53 - 74149 Neckarsulm<br>
Kommanditgesellschaft<br>
Sitz: Neckarsulm<br>
Registergericht: Amtsgericht Stuttgart HRA 104163</font><br>
<br>
<br>
<br>
<br>
<br>
</body></html>