E.Mail.Ru Send Edited Message Vulnerability

2017.01.01
Credit: Ehsan Hosseini
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

================================================================================ # E.Mail.Ru Send Edited Message Vulnerability ================================================================================ # Site: https://e.mail.ru/ # Author: Ehsan Hosseini # Contact: hehsan979@gmail.com # Vulnerability Type: Design Issue, Privilege Escalation # Severity : High ================================================================================ # Description: https://en.wikipedia.org/wiki/Mail.Ru # PoC : Steps to reproduce ~! https://e.mail.ru/signup! !~ Step 1 : Complete SignUp Form Step 2 : Enter a Incorrect Number Phone. Step 3 : Open Live Http Headers Firefox plugin Step 4 : Submit Form Setp 5 : Repaly Request to ~ https://e.mail.ru/cgi-bin/smsverificator?&ajax_call=1&lang=ru_RU&func_name=register ~ Setp 6 : Edit domain parameter to a text. Step 7 : Edit phone parameter to a number every body you want send message to them. Step 8 : Repaly Request... Step 9 : Now Send Edited Message to NumberPhone Know See Mobile Phone see message Should see attached video and next see picture Video : https://youtu.be/cEiik4mE-pM Result : https://cdn.pbrd.co/images/gyMQ5rh1A.png # Timeline: 12 Sep 2016 - Discover Vulnerability 16 Sep 2016 - Report To Vendor 28 Sep 2016 - Mail.ru Confirmed This Issue 28 Sep 2016 - Mail.Ru rewarded $150 bounty. 01 Jan 2017 - Public Disclosure # Discovered By : Ehsan Hosseini # Spx Tnx : Porya

References:

https://youtu.be/cEiik4mE-pM
https://cdn.pbrd.co/images/gyMQ5rh1A.png


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top