SecurityAdvisory
----------------


Time Line Vulnerability
-------------------------------


-Day 05-05-2014 Security Advisory => No response


-Days 08 12 19-05-2014 Multiples Advisories => No Response


-Day 20-05-2014 Full Disclosure



Alerts summary
********************


-CRLF injection/HTTP response splitting

/crypt/cryptographp.php
cfg


-Apache 2.x version older than 2.2.6
Web Server


-Apache 2.x version older than 2.2.8
Web Server


-Apache 2.x version older than 2.2.9
Web Server


-Apache httpd remote denial of service
Web Server


-HTML form without CSRF protection

/blog
/blog/transparency-report
/blog/wp-login.php
/blog/wp-login.php (cac6435f6386a7a635b3f12aeb81195e)
/crypt
/lander
/login.php
/report_bug.php
/sign_up.php



-Apache 2.x version older than 2.2.10

Web Server


-Clickjacking: X-Frame-Options header missing

Web Server


-Sensitive page could be cached

/sign_up.php (a18aae949b9855b60506dc83164afe7f)



-Session Cookie without HttpOnly flag set
/



-TRACE method is enabled

Web Server



-Broken links

/css/bootstrap.css
/css/bs.css
/pages/contact_us.php
/pages/mit_license.php
Password type input with autocomplete enabled
/blog/wp-login.php




I. VULNERABILITY
-------------------------


The ASAP-Sec Penetration Testers just explain faults exposed in the title


#Title: ProtonMail.ch suffers from a CRLF injection-HTTP response 
splitting / Apache 2.x version older than 2.2.6 -X.8 -X.9.- 2.2.10 / 
httpd RemoteDoS / CSRF


#Vendor:https://protonmail.ch:443/


#Author:Juan Carlos García and Francisco Moraga


#Follow us : http://www.highsec.es ||| Twitter:@secnight / @btshell1





II. DESCRIPTION
-------------------------


-ProtonMail is incorporated in Switzerland and their servers are located 
in Switzerland.


-They are outside of US and EU jurisdiction and all user data is 
protected by strict Swiss privacy laws.

Because of our end-to-end encryption, They think that :

"Your data is already secure and encrypted by the time it reaches our 
servers. We have no access to your messages, and since we cannot decrypt 
them, we cannot share them with third parties".


-ProtonMail's segregated authentication and decryption system means 
logging into a ProtonMail account that requires two passwords.


-The first password is used to authenticate the user and retrieve the 
correct account. After that, encrypted data is sent to the user.


-The second password is a decryption password which is never sent to us. 
It is used to decrypt the user’s data in the browser so we never have 
access to the decrypted data

or the decryption password.


-For this reason, we are also unable to do password recovery.


-If you forget your decryption password, we cannot recover your data.




By theWay, ASAP-SEC are Verifiying this information... Let's go to the 
business ;)





III- Vulnerabilities
---------------------


CRLF injection / HTTP response splitting
****************************************


This script is possibly vulnerable to CRLF injection attacks.

HTTP headers have the structure "Key:

Value", where each line is separated by the CRLF combination.

If the user input is injected into the value section without properly 
escaping/removing

CRLF characters it is possible to alter the HTTP headers structure.

HTTP Response Splitting is a "new" application attack technique which 
enables

various new attacks such as web cache poisoning,cross user defacement,

hijacking pages with sensitive user information and cross-site scripting 
(XSS).


The attacker sends a single HTTP request that forces the web server to 
form an output stream,

which is then interpreted by the target as two HTTP responses instead of 
one response.


Affected items
------------------

/crypt/cryptographp.php



The impact of this vulnerability
----------------------------------

Is it possible for a remote attacker to inject custom HTTP headers.

For example, an attacker can inject session cookies or HTML code.

This may conduct to vulnerabilities like XSS (cross-site scripting) or 
session fixation.




How to fix this vulnerability
------------------------------------


You need to restrict CR(0x13) and LF(0x10)


 From

the user input

or

properly encode the output

in

order to prevent the injection

of

custom HTTP headers.




Attack details
--------------------

URL encoded GET input cfg was set to 
<SomeCustomInjectedHeader:injected_by_secnight



Injected header found:

SomeCustomInjectedHeader: injected_by_secnight



GET 
/crypt/cryptographp.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_secnight





HTTP/1.0 302 Found

Date: Wed, 28 May 2014 15:33:55 GMT

Server: Apache/2.2.3 (CentOS)

X-Powered-By: PHP/5.3.28

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, 
pre-check=0

Pragma: no-cache

Set-Cookie: cryptcookietest=1

Location: cryptographp.inc.php?cfg=

SomeCustomInjectedHeader: injected_by_secnight&sn=PHPSESSID&

Strict-Transport-Security: max-age=15768000;includeSubDomains

Content-Length: 0

Connection: close

Content-Type: text/html



How to fix this vulnerability
-----------------------------


You need to restrict CR(0x13) and LF(0x10) from the user

input or properly encode the output in order to prevent

the injection of custom HTTP headers.





Variant 1
-----------


GET 
/crypt/cryptographp.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_asapsec 
HTTP/1.1

Referer: https://protonmail.ch:443/

Cookie: PHPSESSID=afaj9rt84m3oevgtld6thfe9l4; cryptcookietest=1

Host: protonmail.ch

Connection: Keep-alive


Response
----------


HTTP/1.0 302 Found

Date: Wed, 28 May 2014 15:33:55 GMT

Server: Apache/2.2.3 (CentOS)

X-Powered-By: PHP/5.3.28

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, 
pre-check=0

Pragma: no-cache

Set-Cookie: cryptcookietest=1

Location: cryptographp.inc.php?cfg=

SomeCustomInjectedHeader: injected_by_wvs&sn=PHPSESSID&

Strict-Transport-Security: max-age=15768000;includeSubDomains

Content-Length: 0

Connection: close

Content-Type: text/html






Apache 2.x version older than 2.2.10
**************************************


Fixed in Apache httpd 2.2.10: mod_proxy_ftp globbing XSS CVE-2008-2939

A flaw was found in the handling of wildcards in the path of a FTP URL 
with mod_proxy_ftp.

If mod_proxy_ftp is enabled to support FTP-over-HTTP, requests 
containing globbing characters could lead to cross-site scripting (XSS) 
attacks.

Affected Apache versions (2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 
2.2.2, 2.2.0).




Apache httpd remote denial of service
*************************************


Vulnerability description
------------------------------


A denial of service vulnerability has been found in the way the multiple

overlapping ranges are handled by the Apache HTTPD server:




http://seclists.org/fulldisclosure/2011/Aug/175



An attack tool is circulating in the wild. Active use of this tools has 
been observed. The attack can be done remotely

and with a modest number of requests can cause very significant memory 
and CPU usage on the server.


Affected Apache versions (1.3.x, 2.0.x through 2.0.64, and 2.2.x through 
2.2.19).



How to fix this vulnerability
-----------------------------
Upgrade to the latest version of Apache HTTP Server (2.2.20 or later), 
available from the Apache HTTP Server Project Web site.





Web references
--------------
CVE-2011-3192








Sensitive page could be cached
******************************


Vulnerability description
-----------------------


This page contains possible sensitive information (e.g. a password 
parameter)

and could be potentially cached. Even in secure SSL channels sensitive 
data could

be stored by intermediary proxies and SSL terminators. To prevent this, 
a Cache-Control header should be specified.

This vulnerability affects


/sign_up.php (a18aae949b9855b60506dc83164afe7f).


GET /sign_up.php?username=urvimsoj HTTP/1.1

Pragma: no-cache

Referer: https://protonmail.ch/lander/


Response
----------

HTTP/1.0 200 OK

Date: Sun, 18 May 2014 19:27:10 GMT

Server: Apache/2.2.3 (CentOS)

X-Powered-By: PHP/5.3.28

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, 
pre-check=0

Pragma: no-cache

Strict-Transport-Security: max-age=15768000;includeSubDomains

Connection: close

Content-Type: text/html

Content-Length: 8285




HTML form without CSRF protection
********************************


Vulnerability description
------------------------------


Cross-site request forgery, also known as a one-click attack or session 
riding
and abbreviated as CSRF or XSRF, is a type of malicious exploit of a 
website
whereby unauthorized commands are transmitted from a user that the 
website trusts.

Penetration Tester (Authors) found a HTML form with no apparent CSRF 
protection implemented. Consult details for more information about the 
affected HTML form.


Affected items
---------------

/blog
/blog/transparency-report
/blog/wp-login.php
/blog/wp-login.php (cac6435f6386a7a635b3f12aeb81195e)
/crypt
/lander
/login.php
/report_bug.php
/sign_up.php



The impact of this vulnerability
--------------------------------


An attacker may force the users of a web application to execute actions 
of the attacker's choosing.

A successful CSRF exploit can compromise end user data and operation in 
case of normal user.

If the targeted end user is the administrator account, this can 
compromise the entire web application.




How to fix this vulnerability
-----------------------------


Check if this form requires CSRF protection and implement CSRF 
countermeasures if necessary.



CREDITS
-------------------------

This vulnerability has been discovered

by Juan Carlos García(@secnight)

and

Francisco Moraga (@btshell)




VII. LEGAL NOTICES
-------------------------

The Authors accepts no responsibility for any damage
caused by the use or misuse of this information.