<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<tt>Hi Jules,<br>
<br>
<tt>thanks for the qui<tt>ck fix in pickup.php<br>
<br>
<tt>But there seem to b<tt>e still some proble<tt>ms <tt>in <tt>pickup.php
concerning the 'auth' <tt>parameter</tt></tt></tt>:<br>
<br>
<tt>Reflected Cross-Site Scripting<br>
------------------------------<br>
pickup.php<br>
The auth parameter was submitted with the value
"--><script>prompt(12345)</script>1t58l<!--,
and the string was echoed verbatim in the output,
showing that there is a reflected XSS vulnerability.<br>
<br>
pickup.php<br>
The auth parameter was submitted with the value
"--><script>prompt(12345)</script>KBY7h<!--,
and the string was echoed verbatim in the output,
showing that there is a reflected XSS vulnerability.<br>
<br>
HTML Injection<br>
--------------<br>
pickup.php<br>
The auth parameter was submitted with the value
<h1>hsusx</h1>, and this value was echoed
back verbatim in the resulting page.<br>
<br>
pickup.php<br>
The auth parameter was submitted with the value
<h1>8pamj</h1>, and this value was echoed
back verbatim in the resulting page.<br>
<br>
<br>
</tt>Also an additional problem was found that might be
eas<tt>y to fix:<br>
<tt><br>
Autocomplete Enabled on Password Field<br>
--------------------------------------<br>
index.php?action=login<br>
Enabling autocomplete on a password field could
allow the browser to store a user's password in
plain text and show it to anyone using the same
computer.<br>
Add 'autocomplete=off' to every password field or
login form on the site.</tt><br>
</tt><br>
<br>
There are some more minor problems<tt>, too!<br>
<br>
<tt>The fix from <tt>yesterday for pickup.php only
fixed<br>
<br>
<tt>2 Refelected Cross-Site Scripting<br>
<tt>2 HTML<tt> Injection<br>
<br>
<tt>vulnerabilities.</tt><br>
</tt></tt></tt></tt></tt><br>
<tt>Jules, I could send you the entire report via
private mail if you want to take a look at it and
keep it confidential.<br>
<br>
<tt>And please correct me, if <tt>I am wrong with
the above!</tt></tt><br>
<br>
<tt>Kind regards and thanks for <tt>your work</tt><br>
<br>
<tt><tt>PCFreak</tt></tt><br>
</tt></tt></tt><br>
<br>
<br>
</tt></tt></tt></tt></tt></tt><br>
<div class="moz-cite-prefix">On 02.03.2016 18:06, Jules wrote:<br>
</div>
<blockquote cite="mid:56D71DB2.3070103@Zend.To" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
Hi guys!<br>
<br>
Sorry about this one. The fault isn't actually in that line, it's
just below it where it says this:<br>
<br>
<small><tt> if ( isset($recipEmail) && !
preg_match($theDropbox->validEmailRegexp(),$recipEmail) ) {</tt><tt><br>
</tt><tt> $emailAddr = 'INVALID';</tt><tt><br>
</tt><tt> }</tt></small><br>
<br>
Those 2 "$recipEmail" should of course both be "$emailAddr".<br>
<br>
I did carefully check the email address was valid, but put in the
wrong variable name to check. :-(<br>
My bad.<br>
<br>
That should fix it. No need to restart httpd or anything, just
save the file and reload the page.<br>
<br>
Cheers,<br>
Jules.<br>
<br>
P.S. Sorry I haven't done an update in *ages*. 2 questions: (1)
What other outstanding bugs/patches are there?, and (2) Is it
worth me re-writing the areyouahuman CAPTCHA code for their new
one, or is everyone happy with the Google one (reCAPTCHA) that is
there already?<br>
<br>
<div class="moz-cite-prefix">On 02/03/2016 15:28, Karl Bundy
wrote:<br>
</div>
<blockquote
cite="mid:a9b2f059d6424b84b0a3afa5fc891203@MBX03B-IAD3.mex08.mlsrvr.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
tt
{mso-style-priority:99;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Hi
everyone,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">It
appears that the issue is due to the fact that the email
querystring variable is not being sanitized before being
used. I am not a skilled programmer, but I was able to
make this simple change to the pickup.php file and it
appears to have resolved this XSS issue. Please use this
at your own risk, as it appears to work for me, but your
mileage may vary ;)<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">In
the pickup.php file change this line:<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">$emailAddr
=
isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL);<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">to
this:<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">$emailAddr
=
str_replace('"','',isset($_POST['emailAddr'])?$_POST['emailAddr']:(isset($_GET['emailAddr'])?$_GET['emailAddr']:NULL));<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Save
the file, and then test again.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">---Karl
Bundy<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">
<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:zendto-bounces@zend.to">zendto-bounces@zend.to</a>
[<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="mailto:zendto-bounces@zend.to">mailto:zendto-bounces@zend.to</a>]
<b>On Behalf Of </b>Der PCFreak<br>
<b>Sent:</b> Wednesday, March 02, 2016 6:10 AM<br>
<b>To:</b> <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:zendto@zend.to">zendto@zend.to</a><br>
<b>Subject:</b> Re: [ZendTo] XSS<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><tt><span
style="font-size:10.0pt">Hi,</span></tt><span
style="font-size:10.0pt;font-family:"Courier
New""><br>
<br>
<tt>Barracuda offers their "Barracuda Vulnerability
Manager" for free at the moment and I tested it.</tt><br>
<tt><a moz-do-not-send="true"
href="https://bvm.barracudanetworks.com/">https://bvm.barracudanetworks.com/</a></tt><br>
<br>
<br>
<tt>Here some of the results pointed at my ZendTo
installation:</tt><br>
<br>
<br>
<tt>Reflected Cross-Site Scripting</tt><br>
<tt>==============================</tt><br>
<tt><a moz-do-not-send="true"
href="https://your.url.tld/pickup.php">https://your.url.tld/pickup.php</a></tt><br>
<tt>Issue Detail</tt><br>
<tt>The emailAddr parameter was submitted with the value
"--><script>prompt(12345)</script>lNYCi<!--,
and the string was echoed verbatim in the output,
showing that there is a reflected XSS vulnerability.</tt><br>
<br>
<tt><a moz-do-not-send="true"
href="https://your.url.tld/pickup.php">https://your.url.tld/pickup.php</a></tt><br>
<tt>Issue Detail</tt><br>
<tt>The auth parameter was submitted with the value
"--><script>prompt(12345)</script>HyNzQ<!--,
and the string was echoed verbatim in the output,
showing that there is a reflected XSS vulnerability.</tt><br>
<br>
<tt><a moz-do-not-send="true"
href="https://your.url.tld/pickup.php">https://your.url.tld/pickup.php</a></tt><br>
<tt>Issue Detail</tt><br>
<tt>The emailAddr parameter was submitted with the value
"--><script>prompt(12345)</script>x7RXs<!--,
and the string was echoed verbatim in the output,
showing that there is a reflected XSS vulnerability.</tt><br>
<br>
<tt><a moz-do-not-send="true"
href="https://your.url.tld/pickup.php">https://your.url.tld/pickup.php</a></tt><br>
<tt>Issue Detail</tt><br>
<tt>The auth parameter was submitted with the value
"--><script>prompt(12345)</script>WqYcq<!--,
and the string was echoed verbatim in the output,
showing that there is a reflected XSS vulnerability.</tt><br>
<br>
<tt>HTML-Injection</tt><br>
<tt>==============</tt><br>
<tt><a moz-do-not-send="true"
href="https://your.url.tld/pickup.php">https://your.url.tld/pickup.php</a></tt><br>
<tt>Issue Detail</tt><br>
<tt>The emailAddr parameter was submitted with the value
<h1>tjkgr</h1>, and this value was echoed
back verbatim in the resulting page.</tt><br>
<br>
<tt><a moz-do-not-send="true"
href="https://your.url.tld/pickup.php">https://your.url.tld/pickup.php</a></tt><br>
<tt>Issue Detail</tt><br>
<tt>The auth parameter was submitted with the value
<h1>xt90x</h1>, and this value was echoed
back verbatim in the resulting page.</tt><br>
<br>
<tt><a moz-do-not-send="true"
href="https://your.url.tld/pickup.php">https://your.url.tld/pickup.php</a></tt><br>
<tt>Issue Detail</tt><br>
<tt>The emailAddr parameter was submitted with the value
<h1>zrjja</h1>, and this value was echoed
back verbatim in the resulting page.</tt><br>
<tt>View Full HTTP Request and Response</tt><br>
<br>
<tt><a moz-do-not-send="true"
href="https://your.url.tld/pickup.php">https://your.url.tld/pickup.php</a></tt><br>
<tt>Issue Detail</tt><br>
<tt>The auth parameter was submitted with the value
<h1>anhxx</h1>, and this value was echoed
back verbatim in the resulting page.</tt><br>
<br>
<tt>Kind regards</tt><br>
<br>
<tt>PCFreak</tt><br>
<br>
<br>
<br>
<br>
</span><o:p></o:p></p>
<div>
<p class="MsoNormal">On 01.03.2016 20:14, Chris Venter
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"
style="margin-bottom:12.0pt">Hi <o:p></o:p></p>
</div>
<p class="MsoNormal">Our security audit has
highlighted a possible reflected cross site
scripting error on the pickup.php page,to test
we ran <br>
<br>
<a moz-do-not-send="true"
href="https://server_name/pickup/php?emailAddr=test"
target="_blank">https://server_name/pickup/php?emailAddr=test</a>"
/><script>alert('XSS
Test')</script><o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Can
anyone else confirm if this is an issue?<o:p></o:p></p>
</div>
<p class="MsoNormal">Thanks<o:p></o:p></p>
</div>
<p class="MsoNormal">CJ<o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>ZendTo mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:ZendTo@zend.to">ZendTo@zend.to</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
ZendTo mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:ZendTo@zend.to">ZendTo@zend.to</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a></pre>
<br>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng MBCS CITP CEng
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="http://www.Zend.To">www.Zend.To</a>
Twitter: @JulesFM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
</pre>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
ZendTo mailing list
<a class="moz-txt-link-abbreviated" href="mailto:ZendTo@zend.to">ZendTo@zend.to</a>
<a class="moz-txt-link-freetext" href="http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto">http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto</a></pre>
</blockquote>
<br>
</body>
</html>