<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
tt
{mso-style-priority:99;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I forgot to mention that this was based on the code for version 4.12<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">--- Karl Bundy<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext"> Karl Bundy
<br>
<b>Sent:</b> Wednesday, March 02, 2016 8:28 AM<br>
<b>To:</b> zendto@zend.to<br>
<b>Subject:</b> RE: [ZendTo] XSS<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Hi everyone,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">It appears that the issue is due to the fact that the email querystring variable is not being sanitized before being used. I am not a skilled programmer, but
I was able to make this simple change to the pickup.php file and it appears to have resolved this XSS issue. Please use this at your own risk, as it appears to work for me, but your mileage may vary ;)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">In the pickup.php file change this line:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">$emailAddr = isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL);<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">to this:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">$emailAddr = str_replace('"','',isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL));<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Save the file, and then test again.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">---Karl Bundy<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">
<a href="mailto:zendto-bounces@zend.to">zendto-bounces@zend.to</a> [<a href="mailto:zendto-bounces@zend.to">mailto:zendto-bounces@zend.to</a>]
<b>On Behalf Of </b>Der PCFreak<br>
<b>Sent:</b> Wednesday, March 02, 2016 6:10 AM<br>
<b>To:</b> <a href="mailto:zendto@zend.to">zendto@zend.to</a><br>
<b>Subject:</b> Re: [ZendTo] XSS<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><tt><span style="font-size:10.0pt">Hi,</span></tt><span style="font-size:10.0pt;font-family:"Courier New""><br>
<br>
<tt>Barracuda offers their "Barracuda Vulnerability Manager" for free at the moment and I tested it.</tt><br>
<tt><a href="https://bvm.barracudanetworks.com/">https://bvm.barracudanetworks.com/</a></tt><br>
<br>
<br>
<tt>Here some of the results pointed at my ZendTo installation:</tt><br>
<br>
<br>
<tt>Reflected Cross-Site Scripting</tt><br>
<tt>==============================</tt><br>
<tt><a href="https://your.url.tld/pickup.php">https://your.url.tld/pickup.php</a></tt><br>
<tt>Issue Detail</tt><br>
<tt>The emailAddr parameter was submitted with the value "--><script>prompt(12345)</script>lNYCi<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.</tt><br>
<br>
<tt><a href="https://your.url.tld/pickup.php">https://your.url.tld/pickup.php</a></tt><br>
<tt>Issue Detail</tt><br>
<tt>The auth parameter was submitted with the value "--><script>prompt(12345)</script>HyNzQ<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.</tt><br>
<br>
<tt><a href="https://your.url.tld/pickup.php">https://your.url.tld/pickup.php</a></tt><br>
<tt>Issue Detail</tt><br>
<tt>The emailAddr parameter was submitted with the value "--><script>prompt(12345)</script>x7RXs<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.</tt><br>
<br>
<tt><a href="https://your.url.tld/pickup.php">https://your.url.tld/pickup.php</a></tt><br>
<tt>Issue Detail</tt><br>
<tt>The auth parameter was submitted with the value "--><script>prompt(12345)</script>WqYcq<!--, and the string was echoed verbatim in the output, showing that there is a reflected XSS vulnerability.</tt><br>
<br>
<tt>HTML-Injection</tt><br>
<tt>==============</tt><br>
<tt><a href="https://your.url.tld/pickup.php">https://your.url.tld/pickup.php</a></tt><br>
<tt>Issue Detail</tt><br>
<tt>The emailAddr parameter was submitted with the value <h1>tjkgr</h1>, and this value was echoed back verbatim in the resulting page.</tt><br>
<br>
<tt><a href="https://your.url.tld/pickup.php">https://your.url.tld/pickup.php</a></tt><br>
<tt>Issue Detail</tt><br>
<tt>The auth parameter was submitted with the value <h1>xt90x</h1>, and this value was echoed back verbatim in the resulting page.</tt><br>
<br>
<tt><a href="https://your.url.tld/pickup.php">https://your.url.tld/pickup.php</a></tt><br>
<tt>Issue Detail</tt><br>
<tt>The emailAddr parameter was submitted with the value <h1>zrjja</h1>, and this value was echoed back verbatim in the resulting page.</tt><br>
<tt>View Full HTTP Request and Response</tt><br>
<br>
<tt><a href="https://your.url.tld/pickup.php">https://your.url.tld/pickup.php</a></tt><br>
<tt>Issue Detail</tt><br>
<tt>The auth parameter was submitted with the value <h1>anhxx</h1>, and this value was echoed back verbatim in the resulting page.</tt><br>
<br>
<tt>Kind regards</tt><br>
<br>
<tt>PCFreak</tt><br>
<br>
<br>
<br>
</span><o:p></o:p></p>
<div>
<p class="MsoNormal">On 01.03.2016 20:14, Chris Venter wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Hi <o:p></o:p></p>
</div>
<p class="MsoNormal">Our security audit has highlighted a possible reflected cross site scripting error on the pickup.php page,to test we ran
<br>
<br>
<a href="https://server_name/pickup/php?emailAddr=test" target="_blank">https://server_name/pickup/php?emailAddr=test</a>" /><script>alert('XSS Test')</script><o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Can anyone else confirm if this is an issue?<o:p></o:p></p>
</div>
<p class="MsoNormal">Thanks<o:p></o:p></p>
</div>
<p class="MsoNormal">CJ<o:p></o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>ZendTo mailing list<o:p></o:p></pre>
<pre><a href="mailto:ZendTo@zend.to">ZendTo@zend.to</a><o:p></o:p></pre>
<pre><a href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>