ProtonMail.ch Header injection/CSRF (&out of date software vulnerabilitieS) **Note that this finding houses site-specific data. SecurityAdvisory ---------------- ProtonMail.ch Header Injection / CSRF Authored by Juan Carlos Garcia Website: habeuscurso.blogspot.com Time Line Vulnerability ------------------------------- -Day 05-05-2014 Security Advisory => No response -Days 08 12 19-05-2014 Multiples Advisories => No Response -Day 20-05-2014 Full Disclosure Alerts summary ******************** -CRLF injection/HTTP response splitting /crypt/cryptographp.php cfg -Apache 2.x version older than 2.2.6 Web Server -Apache 2.x version older than 2.2.8 Web Server -Apache 2.x version older than 2.2.9 Web Server -Apache httpd remote denial of service Web Server -HTML form without CSRF protection /blog /blog/transparency-report /blog/wp-login.php /blog/wp-login.php (cac6435f6386a7a635b3f12aeb81195e) /crypt /lander /login.php /report_bug.php /sign_up.php -Apache 2.x version older than 2.2.10 Web Server -Clickjacking: X-Frame-Options header missing Web Server -Sensitive page could be cached /sign_up.php (a18aae949b9855b60506dc83164afe7f) -Session Cookie without HttpOnly flag set / -TRACE method is enabled Web Server -Broken links /css/bootstrap.css /css/bs.css /pages/contact_us.php /pages/mit_license.php Password type input with autocomplete enabled /blog/wp-login.php I. VULNERABILITY ------------------------- The ASAP-Sec Penetration Testers just explain faults exposed in the title #Title: ProtonMail.ch suffers from a CRLF injection-HTTP response splitting / Apache 2.x version older than 2.2.6 -X.8 -X.9.- 2.2.10 / httpd RemoteDoS / CSRF #Vendor:https://protonmail.ch:443/ #Author:Juan Carlos García #Follow us : @habemuscurso II. DESCRIPTION ------------------------- -ProtonMail is incorporated in Switzerland and their servers are located in Switzerland. -They are outside of US and EU jurisdiction and all user data is protected by strict Swiss privacy laws. Because of our end-to-end encryption, They think that : "Your data is already secure and encrypted by the time it reaches our servers. We have no access to your messages, and since we cannot decrypt them, we cannot share them with third parties". -ProtonMail's segregated authentication and decryption system means logging into a ProtonMail account that requires two passwords. -The first password is used to authenticate the user and retrieve the correct account. After that, encrypted data is sent to the user. -The second password is a decryption password which is never sent to us. It is used to decrypt the user’s data in the browser so we never have access to the decrypted data or the decryption password. -For this reason, we are also unable to do password recovery. -If you forget your decryption password, we cannot recover your data. By theWay, ASAP-SEC are Verifiying this information... Let's go to the business ;) III- Vulnerabilities --------------------- CRLF injection / HTTP response splitting **************************************** This script is possibly vulnerable to CRLF injection attacks. HTTP headers have the structure "Key: Value", where each line is separated by the CRLF combination. If the user input is injected into the value section without properly escaping/removing CRLF characters it is possible to alter the HTTP headers structure. HTTP Response Splitting is a "new" application attack technique which enables various new attacks such as web cache poisoning,cross user defacement, hijacking pages with sensitive user information and cross-site scripting (XSS). The attacker sends a single HTTP request that forces the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response. Affected items ------------------ /crypt/cryptographp.php The impact of this vulnerability ---------------------------------- Is it possible for a remote attacker to inject custom HTTP headers. For example, an attacker can inject session cookies or HTML code. This may conduct to vulnerabilities like XSS (cross-site scripting) or session fixation. How to fix this vulnerability ------------------------------------ You need to restrict CR(0x13) and LF(0x10) From the user input or properly encode the output in order to prevent the injection of custom HTTP headers. Attack details -------------------- URL encoded GET input cfg was set to <SomeCustomInjectedHeader:injected_by_secnight Injected header found: SomeCustomInjectedHeader: injected_by_secnight GET /crypt/cryptographp.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_secnight HTTP/1.0 302 Found Date: Wed, 28 May 2014 15:33:55 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.3.28 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: cryptcookietest=1 Location: cryptographp.inc.php?cfg= SomeCustomInjectedHeader: injected_by_secnight&sn=PHPSESSID& Strict-Transport-Security: max-age=15768000;includeSubDomains Content-Length: 0 Connection: close Content-Type: text/html How to fix this vulnerability ----------------------------- You need to restrict CR(0x13) and LF(0x10) from the user input or properly encode the output in order to prevent the injection of custom HTTP headers. Variant 1 ----------- GET /crypt/cryptographp.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_asapsec HTTP/1.1 Referer: https://protonmail.ch:443/ Cookie: PHPSESSID=afaj9rt84m3oevgtld6thfe9l4; cryptcookietest=1 Host: protonmail.ch Connection: Keep-alive Response ---------- HTTP/1.0 302 Found Date: Wed, 28 May 2014 15:33:55 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.3.28 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: cryptcookietest=1 Location: cryptographp.inc.php?cfg= SomeCustomInjectedHeader: injected_by_wvs&sn=PHPSESSID& Strict-Transport-Security: max-age=15768000;includeSubDomains Content-Length: 0 Connection: close Content-Type: text/html Apache 2.x version older than 2.2.10 ************************************** Fixed in Apache httpd 2.2.10: mod_proxy_ftp globbing XSS CVE-2008-2939 A flaw was found in the handling of wildcards in the path of a FTP URL with mod_proxy_ftp. If mod_proxy_ftp is enabled to support FTP-over-HTTP, requests containing globbing characters could lead to cross-site scripting (XSS) attacks. Affected Apache versions (2.2.9, 2.2.8, 2.2.6, 2.2.5, 2.2.4, 2.2.3, 2.2.2, 2.2.0). Apache httpd remote denial of service ************************************* Vulnerability description ------------------------------ A denial of service vulnerability has been found in the way the multiple overlapping ranges are handled by the Apache HTTPD server: http://seclists.org/fulldisclosure/2011/Aug/175 An attack tool is circulating in the wild. Active use of this tools has been observed. The attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on the server. Affected Apache versions (1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19). How to fix this vulnerability ----------------------------- Upgrade to the latest version of Apache HTTP Server (2.2.20 or later), available from the Apache HTTP Server Project Web site. Web references -------------- CVE-2011-3192 Sensitive page could be cached ****************************** Vulnerability description ----------------------- This page contains possible sensitive information (e.g. a password parameter) and could be potentially cached. Even in secure SSL channels sensitive data could be stored by intermediary proxies and SSL terminators. To prevent this, a Cache-Control header should be specified. This vulnerability affects /sign_up.php (a18aae949b9855b60506dc83164afe7f). GET /sign_up.php?username=urvimsoj HTTP/1.1 Pragma: no-cache Referer: https://protonmail.ch/lander/ Response ---------- HTTP/1.0 200 OK Date: Sun, 18 May 2014 19:27:10 GMT Server: Apache/2.2.3 (CentOS) X-Powered-By: PHP/5.3.28 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Strict-Transport-Security: max-age=15768000;includeSubDomains Connection: close Content-Type: text/html Content-Length: 8285 HTML form without CSRF protection ******************************** Vulnerability description ------------------------------ Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Penetration Tester (Authors) found a HTML form with no apparent CSRF protection implemented. Consult details for more information about the affected HTML form. Affected items --------------- /blog /blog/transparency-report /blog/wp-login.php /blog/wp-login.php (cac6435f6386a7a635b3f12aeb81195e) /crypt /lander /login.php /report_bug.php /sign_up.php The impact of this vulnerability -------------------------------- An attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application. How to fix this vulnerability ----------------------------- Check if this form requires CSRF protection and implement CSRF countermeasures if necessary. CREDITS ------------------------- This vulnerability has been discovered by Auhtor:Juan Carlos García(@secnight) (Special Thanks to @Habemuscurso students) Numa Loring - @HabemusCurso Student and @habemuscurso Community Manager -------------------------------------- VII. LEGAL NOTICES ------------------------- The Authors accepts no responsibility for any damage caused by the use or misuse of this information.