ProtonMail.ch Header Injection / CSRF

`SecurityAdvisory  
----------------  
  
  
Time Line Vulnerability  
-------------------------------  
  
  
-Day 05-05-2014 Security Advisory => No response  
  
  
-Days 08 12 19-05-2014 Multiples Advisories => No Response  
  
  
-Day 20-05-2014 Full Disclosure  
  
  
  
Alerts summary  
********************  
  
  
-CRLF injection/HTTP response splitting  
  
/crypt/cryptographp.php  
cfg  
  
  
-Apache 2.x version older than 2.2.6  
Web Server  
  
  
-Apache 2.x version older than 2.2.8  
Web Server  
  
  
-Apache 2.x version older than 2.2.9  
Web Server  
  
  
-Apache httpd remote denial of service  
Web Server  
  
  
-HTML form without CSRF protection  
  
/blog  
/blog/transparency-report  
/blog/wp-login.php  
/blog/wp-login.php (cac6435f6386a7a635b3f12aeb81195e)  
/crypt  
/lander  
/login.php  
/report_bug.php  
/sign_up.php  
  
  
  
-Apache 2.x version older than 2.2.10  
  
Web Server  
  
  
-Clickjacking: X-Frame-Options header missing  
  
Web Server  
  
  
-Sensitive page could be cached  
  
/sign_up.php (a18aae949b9855b60506dc83164afe7f)  
  
  
  
-Session Cookie without HttpOnly flag set  
/  
  
  
  
-TRACE method is enabled  
  
Web Server  
  
  
  
-Broken links  
  
/css/bootstrap.css  
/css/bs.css  
/pages/contact_us.php  
/pages/mit_license.php  
Password type input with autocomplete enabled  
/blog/wp-login.php  
  
  
  
  
I. VULNERABILITY  
-------------------------  
  
  
The ASAP-Sec Penetration Testers just explain faults exposed in the title  
  
  
#Title: ProtonMail.ch suffers from a CRLF injection-HTTP response   
splitting / Apache 2.x version older than 2.2.6 -X.8 -X.9.- 2.2.10 /   
httpd RemoteDoS / CSRF  
  
  
#Vendor:https://protonmail.ch:443/  
  
  
#Author:Juan Carlos García and Francisco Moraga  
  
  
#Follow us : http://www.highsec.es ||| Twitter:@secnight / @btshell1  
  
  
  
  
  
II. DESCRIPTION  
-------------------------  
  
  
-ProtonMail is incorporated in Switzerland and their servers are located   
in Switzerland.  
  
  
-They are outside of US and EU jurisdiction and all user data is   
protected by strict Swiss privacy laws.  
  
Because of our end-to-end encryption, They think that :  
  
"Your data is already secure and encrypted by the time it reaches our   
servers. We have no access to your messages, and since we cannot decrypt   
them, we cannot share them with third parties".  
  
  
-ProtonMail's segregated authentication and decryption system means   
logging into a ProtonMail account that requires two passwords.  
  
  
-The first password is used to authenticate the user and retrieve the   
correct account. After that, encrypted data is sent to the user.  
  
  
-The second password is a decryption password which is never sent to us.   
It is used to decrypt the user’s data in the browser so we never have   
access to the decrypted data  
  
or the decryption password.  
  
  
-For this reason, we are also unable to do password recovery.  
  
  
-If you forget your decryption password, we cannot recover your data.  
  
  
  
  
By theWay, ASAP-SEC are Verifiying this information... Let's go to the   
business ;)  
  
  
  
  
  
III- Vulnerabilities  
---------------------  
  
  
CRLF injection / HTTP response splitting  
****************************************  
  
  
This script is possibly vulnerable to CRLF injection attacks.  
  
HTTP headers have the structure "Key:  
  
Value", where each line is separated by the CRLF combination.  
  
If the user input is injected into the value section without properly   
escaping/removing  
  
CRLF characters it is possible to alter the HTTP headers structure.  
  
HTTP Response Splitting is a "new" application attack technique which   
enables  
  
various new attacks such as web cache poisoning,cross user defacement,  
  
hijacking pages with sensitive user information and cross-site scripting   
(XSS).  
  
  
The attacker sends a single HTTP request that forces the web server to   
form an output stream,  
  
which is then interpreted by the target as two HTTP responses instead of   
one response.  
  
  
Affected items  
------------------  
  
/crypt/cryptographp.php  
  
  
  
The impact of this vulnerability  
----------------------------------  
  
Is it possible for a remote attacker to inject custom HTTP headers.  
  
For example, an attacker can inject session cookies or HTML code.  
  
This may conduct to vulnerabilities like XSS (cross-site scripting) or   
session fixation.  
  
  
  
  
How to fix this vulnerability  
------------------------------------  
  
  
You need to restrict CR(0x13) and LF(0x10)  
  
  
From  
  
the user input  
  
or  
  
properly encode the output  
  
in  
  
order to prevent the injection  
  
of  
  
custom HTTP headers.  
  
  
  
  
Attack details  
--------------------  
  
URL encoded GET input cfg was set to   
<SomeCustomInjectedHeader:injected_by_secnight  
  
  
  
Injected header found:  
  
SomeCustomInjectedHeader: injected_by_secnight  
  
  
  
GET   
/crypt/cryptographp.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_secnight  
  
  
  
  
  
HTTP/1.0 302 Found  
  
Date: Wed, 28 May 2014 15:33:55 GMT  
  
Server: Apache/2.2.3 (CentOS)  
  
X-Powered-By: PHP/5.3.28  
  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
  
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,   
pre-check=0  
  
Pragma: no-cache  
  
Set-Cookie: cryptcookietest=1  
  
Location: cryptographp.inc.php?cfg=  
  
SomeCustomInjectedHeader: injected_by_secnight&sn=PHPSESSID&  
  
Strict-Transport-Security: max-age=15768000;includeSubDomains  
  
Content-Length: 0  
  
Connection: close  
  
Content-Type: text/html  
  
  
  
How to fix this vulnerability  
-----------------------------  
  
  
You need to restrict CR(0x13) and LF(0x10) from the user  
  
input or properly encode the output in order to prevent  
  
the injection of custom HTTP headers.  
  
  
  
  
  
Variant 1  
-----------  
  
  
GET   
/crypt/cryptographp.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_asapsec   
HTTP/1.1  
  
Referer: https://protonmail.ch:443/  
  
Cookie: PHPSESSID=afaj9rt84m3oevgtld6thfe9l4; cryptcookietest=1  
  
Host: protonmail.ch  
  
Connection: Keep-alive  
  
  
Response  
----------  
  
  
HTTP/1.0 302 Found  
  
Date: Wed, 28 May 2014 15:33:55 GMT  
  
Server: Apache/2.2.3 (CentOS)  
  
X-Powered-By: PHP/5.3.28  
  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
  
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,   
pre-check=0  
  
Pragma: no-cache  
  
Set-Cookie: cryptcookietest=1  
  
Location: cryptographp.inc.php?cfg=  
  
SomeCustomInjectedHeader: injected_by_wvs&sn=PHPSESSID&  
  
Strict-Transport-Security: max-age=15768000;includeSubDomains  
  
Content-Length: 0  
  
Connection: close  
  
Content-Type: text/html  
  
  
  
  
  
  
Apache 2.x version older than 2.2.10  
**************************************  
  
  
Fixed in Apache httpd 2.2.10: mod_proxy_ftp globbing XSS CVE-2008-2939  
  
A flaw was found in the handling of wildcards in the path of a FTP URL   
with mod_proxy_ftp.  
  
If mod_proxy_ftp is enabled to support FTP-over-HTTP, requests   
containing globbing characters could lead to cross-site scripting (XSS)   
attacks.  
  
Affected Apache versions (2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3,   
2.2.2, 2.2.0).  
  
  
  
  
Apache httpd remote denial of service  
*************************************  
  
  
Vulnerability description  
------------------------------  
  
  
A denial of service vulnerability has been found in the way the multiple  
  
overlapping ranges are handled by the Apache HTTPD server:  
  
  
  
  
http://seclists.org/fulldisclosure/2011/Aug/175  
  
  
  
An attack tool is circulating in the wild. Active use of this tools has   
been observed. The attack can be done remotely  
  
and with a modest number of requests can cause very significant memory   
and CPU usage on the server.  
  
  
Affected Apache versions (1.3.x, 2.0.x through 2.0.64, and 2.2.x through   
2.2.19).  
  
  
  
How to fix this vulnerability  
-----------------------------  
Upgrade to the latest version of Apache HTTP Server (2.2.20 or later),   
available from the Apache HTTP Server Project Web site.  
  
  
  
  
  
Web references  
--------------  
CVE-2011-3192  
  
  
  
  
  
  
  
  
Sensitive page could be cached  
******************************  
  
  
Vulnerability description  
-----------------------  
  
  
This page contains possible sensitive information (e.g. a password   
parameter)  
  
and could be potentially cached. Even in secure SSL channels sensitive   
data could  
  
be stored by intermediary proxies and SSL terminators. To prevent this,   
a Cache-Control header should be specified.  
  
This vulnerability affects  
  
  
/sign_up.php (a18aae949b9855b60506dc83164afe7f).  
  
  
GET /sign_up.php?username=urvimsoj HTTP/1.1  
  
Pragma: no-cache  
  
Referer: https://protonmail.ch/lander/  
  
  
Response  
----------  
  
HTTP/1.0 200 OK  
  
Date: Sun, 18 May 2014 19:27:10 GMT  
  
Server: Apache/2.2.3 (CentOS)  
  
X-Powered-By: PHP/5.3.28  
  
Expires: Thu, 19 Nov 1981 08:52:00 GMT  
  
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,   
pre-check=0  
  
Pragma: no-cache  
  
Strict-Transport-Security: max-age=15768000;includeSubDomains  
  
Connection: close  
  
Content-Type: text/html  
  
Content-Length: 8285  
  
  
  
  
HTML form without CSRF protection  
********************************  
  
  
Vulnerability description  
------------------------------  
  
  
Cross-site request forgery, also known as a one-click attack or session   
riding  
and abbreviated as CSRF or XSRF, is a type of malicious exploit of a   
website  
whereby unauthorized commands are transmitted from a user that the   
website trusts.  
  
Penetration Tester (Authors) found a HTML form with no apparent CSRF   
protection implemented. Consult details for more information about the   
affected HTML form.  
  
  
Affected items  
---------------  
  
/blog  
/blog/transparency-report  
/blog/wp-login.php  
/blog/wp-login.php (cac6435f6386a7a635b3f12aeb81195e)  
/crypt  
/lander  
/login.php  
/report_bug.php  
/sign_up.php  
  
  
  
The impact of this vulnerability  
--------------------------------  
  
  
An attacker may force the users of a web application to execute actions   
of the attacker's choosing.  
  
A successful CSRF exploit can compromise end user data and operation in   
case of normal user.  
  
If the targeted end user is the administrator account, this can   
compromise the entire web application.  
  
  
  
  
How to fix this vulnerability  
-----------------------------  
  
  
Check if this form requires CSRF protection and implement CSRF   
countermeasures if necessary.  
  
  
  
CREDITS  
-------------------------  
  
This vulnerability has been discovered  
  
by Juan Carlos García(@secnight)  
  
and  
  
Francisco Moraga (@btshell)  
  
  
  
  
VII. LEGAL NOTICES  
-------------------------  
  
The Authors accepts no responsibility for any damage  
caused by the use or misuse of this information.  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
`