<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi guys!<br>
<br>
Sorry about this one. The fault isn't actually in that line, it's
just below it where it says this:<br>
<br>
<small><tt> if ( isset($recipEmail) && !
preg_match($theDropbox->validEmailRegexp(),$recipEmail) ) {</tt><tt><br>
</tt><tt> $emailAddr = 'INVALID';</tt><tt><br>
</tt><tt> }</tt></small><br>
<br>
Those 2 "$recipEmail" should of course both be "$emailAddr".<br>
<br>
I did carefully check the email address was valid, but put in the
wrong variable name to check. :-(<br>
My bad.<br>
<br>
That should fix it. No need to restart httpd or anything, just save
the file and reload the page.<br>
<br>
Cheers,<br>
Jules.<br>
<br>
P.S. Sorry I haven't done an update in *ages*. 2 questions: (1) What
other outstanding bugs/patches are there?, and (2) Is it worth me
re-writing the areyouahuman CAPTCHA code for their new one, or is
everyone happy with the Google one (reCAPTCHA) that is there
already?<br>
<br>
<div class="moz-cite-prefix">On 02/03/2016 15:28, Karl Bundy wrote:<br>
</div>
<blockquote
cite="mid:a9b2f059d6424b84b0a3afa5fc891203@MBX03B-IAD3.mex08.mlsrvr.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
tt
{mso-style-priority:99;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Hi
everyone,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">It
appears that the issue is due to the fact that the email
querystring variable is not being sanitized before being
used. I am not a skilled programmer, but I was able to make
this simple change to the pickup.php file and it appears to
have resolved this XSS issue. Please use this at your own
risk, as it appears to work for me, but your mileage may
vary ;)<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">In
the pickup.php file change this line:<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">$emailAddr
=
isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL);<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">to
this:<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">$emailAddr
=
str_replace('"','',isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL));<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Save
the file, and then test again.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">---Karl
Bundy<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">
<a class="moz-txt-link-abbreviated" href="mailto:zendto-bounces@zend.to">zendto-bounces@zend.to</a> [<a class="moz-txt-link-freetext" href="mailto:zendto-bounces@zend.to">mailto:zendto-bounces@zend.to</a>]
<b>On Behalf Of </b>Der PCFreak<br>
<b>Sent:</b> Wednesday, March 02, 2016 6:10 AM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:zendto@zend.to">zendto@zend.to</a><br>
<b>Subject:</b> Re: [ZendTo] XSS<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><tt><span
style="font-size:10.0pt">Hi,</span></tt><span
style="font-size:10.0pt;font-family:"Courier New""><br>
<br>
<tt>Barracuda offers their "Barracuda Vulnerability Manager"
for free at the moment and I tested it.</tt><br>
<tt><a moz-do-not-send="true"
href="https://bvm.barracudanetworks.com/">https://bvm.barracudanetworks.com/</a></tt><br>
<br>
<br>
<tt>Here some of the results pointed at my ZendTo
installation:</tt><br>
<br>
<br>
<tt>Reflected Cross-Site Scripting</tt><br>
<tt>==============================</tt><br>
<tt><a moz-do-not-send="true"
href="https://your.url.tld/pickup.php">https://your.url.tld/pickup.php</a></tt><br>
<tt>Issue Detail</tt><br>
<tt>The emailAddr parameter was submitted with the value
"--><script>prompt(12345)</script>lNYCi<!--,
and the string was echoed verbatim in the output, showing
that there is a reflected XSS vulnerability.</tt><br>
<br>
<tt><a moz-do-not-send="true"
href="https://your.url.tld/pickup.php">https://your.url.tld/pickup.php</a></tt><br>
<tt>Issue Detail</tt><br>
<tt>The auth parameter was submitted with the value
"--><script>prompt(12345)</script>HyNzQ<!--,
and the string was echoed verbatim in the output, showing
that there is a reflected XSS vulnerability.</tt><br>
<br>
<tt><a moz-do-not-send="true"
href="https://your.url.tld/pickup.php">https://your.url.tld/pickup.php</a></tt><br>
<tt>Issue Detail</tt><br>
<tt>The emailAddr parameter was submitted with the value
"--><script>prompt(12345)</script>x7RXs<!--,
and the string was echoed verbatim in the output, showing
that there is a reflected XSS vulnerability.</tt><br>
<br>
<tt><a moz-do-not-send="true"
href="https://your.url.tld/pickup.php">https://your.url.tld/pickup.php</a></tt><br>
<tt>Issue Detail</tt><br>
<tt>The auth parameter was submitted with the value
"--><script>prompt(12345)</script>WqYcq<!--,
and the string was echoed verbatim in the output, showing
that there is a reflected XSS vulnerability.</tt><br>
<br>
<tt>HTML-Injection</tt><br>
<tt>==============</tt><br>
<tt><a moz-do-not-send="true"
href="https://your.url.tld/pickup.php">https://your.url.tld/pickup.php</a></tt><br>
<tt>Issue Detail</tt><br>
<tt>The emailAddr parameter was submitted with the value
<h1>tjkgr</h1>, and this value was echoed back
verbatim in the resulting page.</tt><br>
<br>
<tt><a moz-do-not-send="true"
href="https://your.url.tld/pickup.php">https://your.url.tld/pickup.php</a></tt><br>
<tt>Issue Detail</tt><br>
<tt>The auth parameter was submitted with the value
<h1>xt90x</h1>, and this value was echoed back
verbatim in the resulting page.</tt><br>
<br>
<tt><a moz-do-not-send="true"
href="https://your.url.tld/pickup.php">https://your.url.tld/pickup.php</a></tt><br>
<tt>Issue Detail</tt><br>
<tt>The emailAddr parameter was submitted with the value
<h1>zrjja</h1>, and this value was echoed back
verbatim in the resulting page.</tt><br>
<tt>View Full HTTP Request and Response</tt><br>
<br>
<tt><a moz-do-not-send="true"
href="https://your.url.tld/pickup.php">https://your.url.tld/pickup.php</a></tt><br>
<tt>Issue Detail</tt><br>
<tt>The auth parameter was submitted with the value
<h1>anhxx</h1>, and this value was echoed back
verbatim in the resulting page.</tt><br>
<br>
<tt>Kind regards</tt><br>
<br>
<tt>PCFreak</tt><br>
<br>
<br>
<br>
<br>
</span><o:p></o:p></p>
<div>
<p class="MsoNormal">On 01.03.2016 20:14, Chris Venter wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Hi
<o:p></o:p></p>
</div>
<p class="MsoNormal">Our security audit has
highlighted a possible reflected cross site
scripting error on the pickup.php page,to test we
ran
<br>
<br>
<a moz-do-not-send="true"
href="https://server_name/pickup/php?emailAddr=test"
target="_blank">https://server_name/pickup/php?emailAddr=test</a>"
/><script>alert('XSS
Test')</script><o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Can
anyone else confirm if this is an issue?<o:p></o:p></p>
</div>
<p class="MsoNormal">Thanks<o:p></o:p></p>
</div>
<p class="MsoNormal">CJ<o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>ZendTo mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:ZendTo@zend.to">ZendTo@zend.to</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
ZendTo mailing list
<a class="moz-txt-link-abbreviated" href="mailto:ZendTo@zend.to">ZendTo@zend.to</a>
<a class="moz-txt-link-freetext" href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a></pre>
<br>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng MBCS CITP CEng
<a class="moz-txt-link-abbreviated" href="http://www.Zend.To">www.Zend.To</a>
Twitter: @JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
</pre>
</blockquote>
</body>
</html>