Vulnerability in ZendTo may allow Cross-site Scripting Attacks (CVE-2013-6808)

  • Impact: Cross-site Scripting (stored/reflected)
  • Software package: ZendTo <=4.11-12


During a recent penetration test, we identified a cross-site scripting vulnerability in the latest version (4.11-12) of Zend To. To exploit this vulnerability, the receiving user modifies the emailAddr variable in the pickup.php URL found in the email notification, requests the page and clicks download on one of the files. The HTML code is then stored in the logs and presented back to the sender and recipient.

Disclosure Timelines

  • 2013-11-17: Vulnerability discovered
  • 2013-11-19: Notified vendor
  • 2013-12-09: Made initial contact with the vendor
  • 2013-12-10: Vendor confirms issue
  • 2013-12-16: Patch released by vendor (found here)

Vulnerability Details

This vulnerability affects the pickup.php page which is accessed by both the sending and receiving users. At line 640 of lib/NSSDropoff.php (line 7 below), the input field emailAddr has all of its whitespace removed. This routine does not validate whether the input is actually an email address, and stores the input field into the database, and presents it back to the user.

The absence of input validation makes it possible for an attacker to inject HTML into the database and launch a client-side attack.