| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 4 Dec 2012 13:20:49 +0100 From: Jakub Zoczek <zoczus@...il.com> To: full-disclosure@...ts.grok.org.uk Subject: Poczta.WP Multiple vulnerabilities - full disclosure Poczta.WP Multiple vulnerabilities full disclosure security paper Author: Jakub Zoczek [zoczus(x)gmail.com] 0x01 Intro ---------- Wirtualna Polska S.A. (WP) is one of the largest Polish web portals. Their email service (poczta.wp.pl) is affected by multiple cross-site scripting vulnerabilities and also one, almost fixed cross-site request forgery bug. After long time of waiting - I got a non-professional answer from Customer Service Manager of WP, so I decided to post all my research here. Thus... 0x02 XSS in mail attachments. ---------- Reported: 10/10/2012 State: Fixed Proof Of Concept: For example - jpeg picture with filename: sowa oraz "> inject <img src="boom.jpg" onerror="alert(document.cookie);"> hhh.jpg ..sent as e-mail attachment. Result: http://q-x.ath.cx/~zoczus/poc/wp/wpxss1.png 0x03 XSRF in AntyHack and AntySpam fitler (adding to white list) ---------- Reported: 24/11/2012 State: "Fixed" Proof Of Concept: http://q-x.ath.cx/~zoczus/poc/wp/wp-xsrf.txt Result: http://q-x.ath.cx/~zoczus/poc/wp/xsrf-wp1.jpg http://q-x.ath.cx/~zoczus/poc/wp/xsrf-wp2.jpg 0x04 XSRF in AntyHack and AntySpam fitler - bypassing 'fix' ;) ---------- Reported: 04/12/2012 State: Not fixed Proof Of Concept: Additional info for 0x03 - as I supposed, WP used the token in a white list form (every once in a while generated md5 of something). The problem is, that the token value is probably the same for each user. For different mail accounts, different browsers, different IP addresses - token is the same... Bypassing this protection seems to be quite simple. http://q-x.ath.cx/~zoczus/poc/wp/xsrf-bypass1.png http://q-x.ath.cx/~zoczus/poc/wp/xsrf-bypass2.png 0x05 XSS in mail headers ---------- Reported: 04/12/2012 State: Not fixed Proof Of Concept: Return-Path: <zoczus@....pl> Delivered-To: zoczus@...pl (zoczus) Received: (wp-smtpd mx.wp.pl 10088 invoked from network); 30 Nov 2012 16:04:58 +0100 Received: from emkei.cz ([46.167.245.118]) (envelope-sender <zoczus@....pl>) by mx.wp.pl (WP-SMTPD) with SMTP for <zoczus@...pl>; 30 Nov 2012 16:04:58 +0100 Received: by emkei.cz (Postfix, from userid 33) id D4119D5807; Fri, 30 Nov 2012 16:04:57 +0100 (CET) To: zoczus@...pl Subject: From: "zoczus@....pl" <zoczus@....pl> Head<img/src="a"/onerror="alert(document.location)">er: dont have spaces X-Priority: 3 (Normal) Importance: Normal Errors-To: zoczus@....pl Reply-To: zoczus@....pl Content-Type: text/plain; charset=utf-8 Message-Id: <20121130150457.D4119D5807@...ei.cz> Date: Fri, 30 Nov 2012 16:04:57 +0100 (CET) X-WP-DKIM-Status: no signature (id: n/a) X-WP-AV: skaner antywirusowy poczty Wirtualnej Polski S. A. X-WP-SPAM: NO (UW) 0000010 [8Wph] Dobre! Result: http://q-x.ath.cx/~zoczus/poc/wp/wp-xss2.png 0x06 The end. :) ---- Best regards, Jakub Zoczek _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists