<div dir="ltr"><div>I can also confirm the fix from Jules has worked, Thanks for the help all, as for the other questions reCAPTCHA is fine for our use. <br><br></div><div>Cheers<br></div><div>C<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 2 March 2016 at 18:29, Keith Erekson <span dir="ltr"><<a href="mailto:kbe2@lehigh.edu" target="_blank">kbe2@lehigh.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span class="">
<br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br></span>
I can confirm that this fixes the issue.<br>
<br>
For the Debian package, here is the patch for
/opt/zendto/www/pickup.php:<br>
<br>
- --- pickup.php.old 2016-03-02 13:25:27.000000000 -0500<br>
+++ pickup.php 2016-03-02 13:25:30.000000000 -0500<br>
@@ -180,7 +180,7 @@<br>
<br>
$claimID = preg_replace('/[^a-zA-Z0-9]/', '', $claimID);<br>
$claimPasscode = preg_replace('/[^a-zA-Z0-9]/', '',
$claimPasscode);<br>
- - if ( isset($recipEmail) && !
preg_match($theDropbox->validEmailRegexp(),$recipEmail) ) {<br>
+ if ( isset($emailAddr) && !
preg_match($theDropbox->validEmailRegexp(),$emailAddr) ) {<br>
$emailAddr = 'INVALID';<span class=""><br>
}<br>
<br>
<br>
<br>
On 03/02/2016 12:06 PM, Jules wrote:<br>
</span><span style="white-space:pre-wrap"><span class="">> Hi guys!<br>
><br>
> Sorry about this one. The fault isn't actually in that line,
it's just below it where it says this:<br>
><br>
> if ( isset($recipEmail) && !
preg_match($theDropbox->validEmailRegexp(),$recipEmail) ) {<br>
> $emailAddr = 'INVALID';<br>
> }<br>
><br>
> Those 2 "$recipEmail" should of course both be "$emailAddr".<br>
><br>
> I did carefully check the email address was valid, but put in
the wrong variable name to check. :-(<br>
> My bad.<br>
><br>
> That should fix it. No need to restart httpd or anything,
just save the file and reload the page.<br>
><br>
> Cheers,<br>
> Jules.<br>
><br>
> P.S. Sorry I haven't done an update in *ages*. 2 questions:
(1) What other outstanding bugs/patches are there?, and (2) Is it
worth me re-writing the areyouahuman CAPTCHA code for their new
one, or is everyone happy with the Google one (reCAPTCHA) that is
there already?<br>
><br>
> On 02/03/2016 15:28, Karl Bundy wrote:<br>
>><br>
>> Hi everyone,<br>
>><br>
>> <br>
>><br>
>> It appears that the issue is due to the fact that the
email querystring variable is not being sanitized before being
used. I am not a skilled programmer, but I was able to make this
simple change to the pickup.php file and it appears to have
resolved this XSS issue. Please use this at your own risk, as it
appears to work for me, but your mileage may vary ;)<br>
>><br>
>> <br>
>><br>
>> In the pickup.php file change this line:<br>
>><br>
>> <br>
>><br>
>> $emailAddr =
isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL);<br>
>><br>
>> <br>
>><br>
>> to this:<br>
>><br>
>> <br>
>><br>
>> $emailAddr =
str_replace('"','',isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL));<br>
>><br>
>> <br>
>><br>
>> <br>
>><br>
>> Save the file, and then test again.<br>
>><br>
>> <br>
>><br>
>> <br>
>><br>
>> ---Karl Bundy<br>
>><br>
>> <br>
>><br></span>
>> *From:*<a href="mailto:zendto-bounces@zend.to" target="_blank">zendto-bounces@zend.to</a>
[<a href="mailto:zendto-bounces@zend.to" target="_blank">mailto:zendto-bounces@zend.to</a>] *On Behalf Of *Der PCFreak<br>
>> *Sent:* Wednesday, March 02, 2016 6:10 AM<br>
>> *To:* <a href="mailto:zendto@zend.to" target="_blank">zendto@zend.to</a><br>
>> *Subject:* Re: [ZendTo] XSS<div><div class="h5"><br>
>><br>
>> <br>
>><br>
>> Hi,<br>
>><br>
>> Barracuda offers their "Barracuda Vulnerability Manager"
for free at the moment and I tested it.<br>
>> <a href="https://bvm.barracudanetworks.com/" target="_blank">https://bvm.barracudanetworks.com/</a><br>
>><br>
>><br>
>> Here some of the results pointed at my ZendTo
installation:<br>
>><br>
>><br>
>> Reflected Cross-Site Scripting<br>
>> ==============================<br>
>> <a href="https://your.url.tld/pickup.php" target="_blank">https://your.url.tld/pickup.php</a><br>
>> Issue Detail<br>
>> The emailAddr parameter was submitted with the value
"--><script>prompt(12345)</script>lNYCi<!--, and
the string was echoed verbatim in the output, showing that there
is a reflected XSS vulnerability.<br>
>><br>
>> <a href="https://your.url.tld/pickup.php" target="_blank">https://your.url.tld/pickup.php</a><br>
>> Issue Detail<br>
>> The auth parameter was submitted with the value
"--><script>prompt(12345)</script>HyNzQ<!--, and
the string was echoed verbatim in the output, showing that there
is a reflected XSS vulnerability.<br>
>><br>
>> <a href="https://your.url.tld/pickup.php" target="_blank">https://your.url.tld/pickup.php</a><br>
>> Issue Detail<br>
>> The emailAddr parameter was submitted with the value
"--><script>prompt(12345)</script>x7RXs<!--, and
the string was echoed verbatim in the output, showing that there
is a reflected XSS vulnerability.<br>
>><br>
>> <a href="https://your.url.tld/pickup.php" target="_blank">https://your.url.tld/pickup.php</a><br>
>> Issue Detail<br>
>> The auth parameter was submitted with the value
"--><script>prompt(12345)</script>WqYcq<!--, and
the string was echoed verbatim in the output, showing that there
is a reflected XSS vulnerability.<br>
>><br>
>> HTML-Injection<br>
>> ==============<br>
>> <a href="https://your.url.tld/pickup.php" target="_blank">https://your.url.tld/pickup.php</a><br>
>> Issue Detail<br>
>> The emailAddr parameter was submitted with the value
<h1>tjkgr</h1>, and this value was echoed back
verbatim in the resulting page.<br>
>><br>
>> <a href="https://your.url.tld/pickup.php" target="_blank">https://your.url.tld/pickup.php</a><br>
>> Issue Detail<br>
>> The auth parameter was submitted with the value
<h1>xt90x</h1>, and this value was echoed back
verbatim in the resulting page.<br>
>><br>
>> <a href="https://your.url.tld/pickup.php" target="_blank">https://your.url.tld/pickup.php</a><br>
>> Issue Detail<br>
>> The emailAddr parameter was submitted with the value
<h1>zrjja</h1>, and this value was echoed back
verbatim in the resulting page.<br>
>> View Full HTTP Request and Response<br>
>><br>
>> <a href="https://your.url.tld/pickup.php" target="_blank">https://your.url.tld/pickup.php</a><br>
>> Issue Detail<br>
>> The auth parameter was submitted with the value
<h1>anhxx</h1>, and this value was echoed back
verbatim in the resulting page.<br>
>><br>
>> Kind regards<br>
>><br>
>> PCFreak<br>
>><br>
>><br>
>><br>
>><br>
>> On 01.03.2016 20:14, Chris Venter wrote:<br>
>><br>
>> Hi<br>
>><br>
>> Our security audit has highlighted a possible
reflected cross site scripting error on the pickup.php page,to
test we ran<br>
>><br>
>> <a href="https://server_name/pickup/php?emailAddr=test" target="_blank">https://server_name/pickup/php?emailAddr=test</a>"
/><script>alert('XSS Test')</script><br>
>><br>
>> <br>
>><br>
>> Can anyone else confirm if this is an issue?<br>
>><br>
>> Thanks<br>
>><br>
>> CJ<br>
>><br>
>><br>
>><br>
>><br>
>> _______________________________________________<br>
>><br>
>> ZendTo mailing list<br>
>><br></div></div>
>> <a href="mailto:ZendTo@zend.to" target="_blank">ZendTo@zend.to</a> <a href="mailto:ZendTo@zend.to" target="_blank"><mailto:ZendTo@zend.to></a><span class=""><br>
>><br>
>>
<a href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto" target="_blank">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a><br>
>><br>
>> <br>
>><br>
>><br>
>><br>
>> _______________________________________________<br>
>> ZendTo mailing list<br>
>> <a href="mailto:ZendTo@zend.to" target="_blank">ZendTo@zend.to</a><br>
>> <a href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto" target="_blank">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a><br>
>><br>
>> Jules<br>
>><br>
>> -- <br>
>> Julian Field MEng MBCS CITP CEng<br>
>><br>
>><br>
>> <a href="http://www.Zend.To" target="_blank">www.Zend.To</a><br>
>> Twitter: @JulesFM<br>
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947
1415 B654<br>
><br>
><br>
> _______________________________________________<br>
> ZendTo mailing list<br>
> <a href="mailto:ZendTo@zend.to" target="_blank">ZendTo@zend.to</a><br>
> <a href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto" target="_blank">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a></span></span><br><span class="">
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.12 (GNU/Linux)<br>
<br></span>
iQEcBAEBCAAGBQJW1zDuAAoJEMdFVhhDm2SFvU4H/3ql/g9ugTk9c4oclyU9ZKeX<br>
oOd0/ZIJ0wQLEqejDkXVj8QzP2651C+8RBt96vGJMQx7N7SowfGUqOQZtKwK2hlA<br>
B5bGzI/MXcpvolhb7GCI5LlBnfmau5L1qtRzqHJbtXgoW5k2TicEXzKpOUZwj9/J<br>
y8HTmO8f/rqUREG3kdmQrLsqHsAbUzz63uV8ocLLPTsDq9hBNMrLlW/OtrWJ3sWk<br>
MvKTh6PGwYMl4nLiObGoA0hYPnzzTYNv2kPLG8XeZqSp/btr3tPPadZ6NmoLYyDm<br>
uX6G3ywdW5jAJZj2oUHu7hc6FCyItV/WewvdVDvuagecDmuVTB8zOF5J/rpQkOM=<br>
=rcZ8<br>
-----END PGP SIGNATURE-----<br>
<br>
</div>
<br>_______________________________________________<br>
ZendTo mailing list<br>
<a href="mailto:ZendTo@zend.to">ZendTo@zend.to</a><br>
<a href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto" rel="noreferrer" target="_blank">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a><br></blockquote></div><br></div>