<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<tt>Hi,<br>
<br>
<tt>the following patch in /opt/zendto/templates/login.tpl
mitigates the minor problem of password autocompletion through
login.php:<br>
<br>
<tt>< <td><input type="password"
id="passwordField" name="password" size="15"
value=""/></td><br>
---<br>
> <!-- <td><input type="password"
id="passwordField" name="password" size="15"
value=""/></td> --><br>
> <td><input type="password"
id="passwordField" name="password" size="15" value=""<font
color="#009900"> autocomplete="off"</font>/></td><br>
<br>
Greets<br>
<br>
<tt>PCFreak</tt><br>
</tt></tt></tt><br>
<div class="moz-cite-prefix">On 03.03.2016 08:19, Der PCFreak wrote:<br>
</div>
<blockquote cite="mid:56D7E59D.6070200@pcfreak.de" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<tt>Hi Jules,<br>
<br>
<tt>thanks for the qui<tt>ck fix in pickup.php<br>
<br>
<tt>But there seem to b<tt>e still some proble<tt>ms <tt>in
<tt>pickup.php concerning the 'auth' <tt>parameter</tt></tt></tt>:<br>
<br>
<tt>Reflected Cross-Site Scripting<br>
------------------------------<br>
pickup.php<br>
The auth parameter was submitted with the value
"--><script>prompt(12345)</script>1t58l<!--,
and the string was echoed verbatim in the output,
showing that there is a reflected XSS vulnerability.<br>
<br>
pickup.php<br>
The auth parameter was submitted with the value
"--><script>prompt(12345)</script>KBY7h<!--,
and the string was echoed verbatim in the output,
showing that there is a reflected XSS vulnerability.<br>
<br>
HTML Injection<br>
--------------<br>
pickup.php<br>
The auth parameter was submitted with the value
<h1>hsusx</h1>, and this value was
echoed back verbatim in the resulting page.<br>
<br>
pickup.php<br>
The auth parameter was submitted with the value
<h1>8pamj</h1>, and this value was
echoed back verbatim in the resulting page.<br>
<br>
<br>
</tt>Also an additional problem was found that might
be eas<tt>y to fix:<br>
<tt><br>
Autocomplete Enabled on Password Field<br>
--------------------------------------<br>
index.php?action=login<br>
Enabling autocomplete on a password field could
allow the browser to store a user's password in
plain text and show it to anyone using the same
computer.<br>
Add 'autocomplete=off' to every password field or
login form on the site.</tt><br>
</tt><br>
<br>
There are some more minor problems<tt>, too!<br>
<br>
<tt>The fix from <tt>yesterday for pickup.php only
fixed<br>
<br>
<tt>2 Refelected Cross-Site Scripting<br>
<tt>2 HTML<tt> Injection<br>
<br>
<tt>vulnerabilities.</tt><br>
</tt></tt></tt></tt></tt><br>
<tt>Jules, I could send you the entire report via
private mail if you want to take a look at it and
keep it confidential.<br>
<br>
<tt>And please correct me, if <tt>I am wrong with
the above!</tt></tt><br>
<br>
<tt>Kind regards and thanks for <tt>your work</tt><br>
<br>
<tt><tt>PCFreak</tt></tt><br>
</tt></tt></tt><br>
<br>
<br>
</tt></tt></tt></tt></tt></tt><br>
<div class="moz-cite-prefix">On 02.03.2016 18:06, Jules wrote:<br>
</div>
<blockquote cite="mid:56D71DB2.3070103@Zend.To" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
Hi guys!<br>
<br>
Sorry about this one. The fault isn't actually in that line,
it's just below it where it says this:<br>
<br>
<small><tt> if ( isset($recipEmail) && !
preg_match($theDropbox->validEmailRegexp(),$recipEmail) )
{</tt><tt><br>
</tt><tt> $emailAddr = 'INVALID';</tt><tt><br>
</tt><tt> }</tt></small><br>
<br>
Those 2 "$recipEmail" should of course both be "$emailAddr".<br>
<br>
I did carefully check the email address was valid, but put in
the wrong variable name to check. :-(<br>
My bad.<br>
<br>
That should fix it. No need to restart httpd or anything, just
save the file and reload the page.<br>
<br>
Cheers,<br>
Jules.<br>
<br>
P.S. Sorry I haven't done an update in *ages*. 2 questions: (1)
What other outstanding bugs/patches are there?, and (2) Is it
worth me re-writing the areyouahuman CAPTCHA code for their new
one, or is everyone happy with the Google one (reCAPTCHA) that
is there already?<br>
<br>
<div class="moz-cite-prefix">On 02/03/2016 15:28, Karl Bundy
wrote:<br>
</div>
<blockquote
cite="mid:a9b2f059d6424b84b0a3afa5fc891203@MBX03B-IAD3.mex08.mlsrvr.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
tt
{mso-style-priority:99;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Hi
everyone,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">It
appears that the issue is due to the fact that the email
querystring variable is not being sanitized before being
used. I am not a skilled programmer, but I was able to
make this simple change to the pickup.php file and it
appears to have resolved this XSS issue. Please use
this at your own risk, as it appears to work for me, but
your mileage may vary ;)<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">In
the pickup.php file change this line:<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">$emailAddr
=
isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL);<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">to
this:<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">$emailAddr
=
str_replace('"','',isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL));<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Save
the file, and then test again.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">---Karl
Bundy<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">
<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:zendto-bounces@zend.to">zendto-bounces@zend.to</a>
[<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="mailto:zendto-bounces@zend.to">mailto:zendto-bounces@zend.to</a>]
<b>On Behalf Of </b>Der PCFreak<br>
<b>Sent:</b> Wednesday, March 02, 2016 6:10 AM<br>
<b>To:</b> <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:zendto@zend.to">zendto@zend.to</a><br>
<b>Subject:</b> Re: [ZendTo] XSS<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><tt><span
style="font-size:10.0pt">Hi,</span></tt><span
style="font-size:10.0pt;font-family:"Courier
New""><br>
<br>
<tt>Barracuda offers their "Barracuda Vulnerability
Manager" for free at the moment and I tested it.</tt><br>
<tt><a moz-do-not-send="true"
href="https://bvm.barracudanetworks.com/">https://bvm.barracudanetworks.com/</a></tt><br>
<br>
<br>
<tt>Here some of the results pointed at my ZendTo
installation:</tt><br>
<br>
<br>
<tt>Reflected Cross-Site Scripting</tt><br>
<tt>==============================</tt><br>
<tt><a moz-do-not-send="true"
href="https://your.url.tld/pickup.php">https://your.url.tld/pickup.php</a></tt><br>
<tt>Issue Detail</tt><br>
<tt>The emailAddr parameter was submitted with the value
"--><script>prompt(12345)</script>lNYCi<!--,
and the string was echoed verbatim in the output,
showing that there is a reflected XSS vulnerability.</tt><br>
<br>
<tt><a moz-do-not-send="true"
href="https://your.url.tld/pickup.php">https://your.url.tld/pickup.php</a></tt><br>
<tt>Issue Detail</tt><br>
<tt>The auth parameter was submitted with the value
"--><script>prompt(12345)</script>HyNzQ<!--,
and the string was echoed verbatim in the output,
showing that there is a reflected XSS vulnerability.</tt><br>
<br>
<tt><a moz-do-not-send="true"
href="https://your.url.tld/pickup.php">https://your.url.tld/pickup.php</a></tt><br>
<tt>Issue Detail</tt><br>
<tt>The emailAddr parameter was submitted with the value
"--><script>prompt(12345)</script>x7RXs<!--,
and the string was echoed verbatim in the output,
showing that there is a reflected XSS vulnerability.</tt><br>
<br>
<tt><a moz-do-not-send="true"
href="https://your.url.tld/pickup.php">https://your.url.tld/pickup.php</a></tt><br>
<tt>Issue Detail</tt><br>
<tt>The auth parameter was submitted with the value
"--><script>prompt(12345)</script>WqYcq<!--,
and the string was echoed verbatim in the output,
showing that there is a reflected XSS vulnerability.</tt><br>
<br>
<tt>HTML-Injection</tt><br>
<tt>==============</tt><br>
<tt><a moz-do-not-send="true"
href="https://your.url.tld/pickup.php">https://your.url.tld/pickup.php</a></tt><br>
<tt>Issue Detail</tt><br>
<tt>The emailAddr parameter was submitted with the value
<h1>tjkgr</h1>, and this value was echoed
back verbatim in the resulting page.</tt><br>
<br>
<tt><a moz-do-not-send="true"
href="https://your.url.tld/pickup.php">https://your.url.tld/pickup.php</a></tt><br>
<tt>Issue Detail</tt><br>
<tt>The auth parameter was submitted with the value
<h1>xt90x</h1>, and this value was echoed
back verbatim in the resulting page.</tt><br>
<br>
<tt><a moz-do-not-send="true"
href="https://your.url.tld/pickup.php">https://your.url.tld/pickup.php</a></tt><br>
<tt>Issue Detail</tt><br>
<tt>The emailAddr parameter was submitted with the value
<h1>zrjja</h1>, and this value was echoed
back verbatim in the resulting page.</tt><br>
<tt>View Full HTTP Request and Response</tt><br>
<br>
<tt><a moz-do-not-send="true"
href="https://your.url.tld/pickup.php">https://your.url.tld/pickup.php</a></tt><br>
<tt>Issue Detail</tt><br>
<tt>The auth parameter was submitted with the value
<h1>anhxx</h1>, and this value was echoed
back verbatim in the resulting page.</tt><br>
<br>
<tt>Kind regards</tt><br>
<br>
<tt>PCFreak</tt><br>
<br>
<br>
<br>
<br>
</span><o:p></o:p></p>
<div>
<p class="MsoNormal">On 01.03.2016 20:14, Chris Venter
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"
style="margin-bottom:12.0pt">Hi <o:p></o:p></p>
</div>
<p class="MsoNormal">Our security audit has
highlighted a possible reflected cross site
scripting error on the pickup.php page,to test
we ran <br>
<br>
<a moz-do-not-send="true"
href="https://server_name/pickup/php?emailAddr=test"
target="_blank">https://server_name/pickup/php?emailAddr=test</a>"
/><script>alert('XSS
Test')</script><o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Can
anyone else confirm if this is an issue?<o:p></o:p></p>
</div>
<p class="MsoNormal">Thanks<o:p></o:p></p>
</div>
<p class="MsoNormal">CJ<o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>ZendTo mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:ZendTo@zend.to">ZendTo@zend.to</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
ZendTo mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:ZendTo@zend.to">ZendTo@zend.to</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a></pre>
<br>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng MBCS CITP CEng
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="http://www.Zend.To">www.Zend.To</a>
Twitter: @JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
</pre>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
ZendTo mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:ZendTo@zend.to">ZendTo@zend.to</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a></pre>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>