Security Advisory #Title: polymail.io PPI Scanner /Insecure- Microsoft-IIS 7.5/Source Code Information Disclosure and MORE...MORE MORE Time-Line Vulnerability ----------------------- 12-11-2018 First Contact 15-11-2018 Second Contact Response but the response is not the cybersecurity Team.. They had me a new email for contact to security team 15-12-2018 Security Team response "ll your Polymail account information is stored securely and only the absolutely necessary components of the macOS app and iOS app have access to it...and this app it's for operative systems that the bugs not affect ¿WHAT THE FUCK? 21-11-2018 I responsed that this is the code of Web App and the bugs could be affected 28-11-2018 No Response 29-11-2018 I verified that the same bugs exist still... Then 5-12-2018 Full Disclosure VULNERABILITY------------------------- #Title: polymail.io PPI Scanner /Insecure- Microsoft-IIS 7.5/Souce Code Disclosure #Vendor: polymail.io #Author:Juan Carlos García (@secnight) #Follow us @secnight Author:Juan Carlos García #@Habemuscurso DESCRIPTION 1 Polymail.io PPI Scanner Initial release July 20, 2016; 2 years ago Platform OS X, iOS Polymail is an email application for OS X and iOS known for its clean interface and additional features atop the Gmail platform. It publicly released in July 2016.rs.olymail adds several new features atop those associated with standard email. Its email tracking shows which recipients have received and opened the email.[1] Users can also set reminders for when to follow up on an email and schedule when they want their emails to send, if not immediately. T he app also holds emails briefly so that users can "undo send".[2] Polymail will also show profiles for the user's recipients and senders by associating those email addresses with those used in other social network services PROOF OF CONCEPT 2 PPI Scanner Description The response contains Personally Identifiable Information, such as CC number, SSN and similar sensitive data. URL https://polymail.io/downloads/dpa.pdf Method GET Evidence 4012397152215206 URL https://polymail.io/downloads/dpa.pdf Method GET Evidence 2584593123125514 URL https://polymail.io/downloads/dpa.pdf Method GET Evidence 3500500278278500 URL https://polymail.io/downloads/dpa.pdf Method GET Evidence 5222295145143894 URL https://polymail.io/downloads/dpa.pdf Method GET Evidence 5637474537306473507 URL https://polymail.io/downloads/dpa.pdf Method GET Evidence 4445564443335005 URL https://polymail.io/downloads/dpa.pdf Method GET Evidence 6507221514343513 URL https://polymail.io/downloads/dpa.pdf Method GET Evidence 5041622951430538851 URL https://polymail.io/downloads/dpa.pdf Method GET Evidence 4514389478226507 URL https://polymail.io/downloads/dpa.pdf Method GET Evidence 5143053885142394 URL https://polymail.io/downloads/dpa.pdf Method GET Evidence 5564445564443335 URL https://polymail.io/downloads/dpa.pdf Method GET Evidence 4722646552752825 URL https://polymail.io/downloads/dpa.pdf Method GET Evidence 3513514514335250 Instances 13 Solution Other information Credit Card Type detected: Visa Reference CWE Id 359 WASC Id 13 Source ID 3 3 Insecure- Microsoft-IIS 7.5/ Description Based on passive analysis of the response, the insecure component Microsoft-IIS 7.5 It seems to be in use. The highest known CVSS rating for the version of this product is 10 In total,5 vulnerabilities have been recovered and analyzed Method GET Evidence Microsoft-IIS/7.5 Instances 1 Solution Update from Microsoft-IIS 7.5 to the latest stable version of the product. Use a package manager and package management policies and Procedures for managing installed versions of software packages Other information CVE: CVE-2010-3972 CVSS: 10.0 CVE: CVE-2010-2730 CVSS: 9.3 CVE: CVE-2010-1256 CVSS: 8.5 CVE: CVE-2010-1899 CVSS: 4.3 CVE: CVE-2012-2531 CVSS: 2.1 References http://www.cvedetails.com/cve-details.php?cve_id=CVE-2010-3972 http://www.cvedetails.com/cve-details.php?cve_id=CVE-2010-2730 http://www.cvedetails.com/cve-details.php?cve_id=CVE-2010-1256 http://www.cvedetails.com/cve-details.php?cve_id=CVE-2010-1899 http://www.cvedetails.com/cve-details.php?cve_id=CVE-2012-2531 CWE Id 829 WASC Id 42 VERY IMPORTANT: In these moemtos I strongly discourage the use of this mail interface for IOS and MacOsx to have failures that include the database, where only Mac and IOS users will be. This email has application so you should not have waited so long because there is an APP for this company. The attack techniques that can be performed from the website to the mobile App are possible for a malicious user UNTIL THE BUGS ARE FIXED,DON´T USE THIS APPLICATION THE DANGER HAS A SCORING 9/10 (Nist) The tests to the telephone applications are ending now and from a printf () to try have shell ... 3 Source Code Disclosure - PHP ------------------------------------ Description The source code of the application was disclosed by the web server - PHP Source ID 3 Desscription The source code of the application was disclosed by the web server - PHP URL https://polymail.ior/edgedl/widevine-cdm/1.4.9.1088-win-x64.zip?cms_redirect=yes&mip=85.59.44.163&mm= 28&mn=sn-h5q7dned&ms=nvh&mt=1543951177&mv=m&pl=21&shardbypass=yes Method GET /<Real Example< Evidence <?=\x0004XnGoJ \x0000 5T9W\x0015\x0016\x000fpH \x0016}VI\x001c<bH~f\x0001\x0016=HIy\x0008 \x0014TP}D\x0017O4\x0002pT\x000f{:\x001f@wf\x0016\x001a8@\x0006l\x0015\x0017*\x0018I\x001f6t+Z\x0004! \x0014"Y{0I8\x001f\x0019 \x0017p I'> 6?\x0011lV\x000b/\x001aTN;\x000e1Duw@@{pA)\x0003\x000eyn\x0008o\x0013\ x00132\x00185z\x0018\x001e6\x0011\x0007[\x0007L\x001bC?L\x0000~J{JM\x001bh\x000bYIi\x00084)\G|\x0004\x0012p ^p #e\x000c}Xj8pTld:\x000e@\x0005\A\x001ap\x0018{w7*ttFDYP\x0012Tr,hp.cU{92;djl\x001c(|\x0005,U&\Z` GPo\x0004gHZ^w/\x0018 \x001aqJC\x0019\x00056EkE\x001dpW~y\x0011B$\x0007?PR*\x0013 cz]Y%\x001656\x0002^ \x0013uK9G&:\x0017y\x0017{\x0006\x0004\x0017u3\x001e9\x000fR, T7{o8n(D#mH+\x0012ap\x0014tqFV\x00114W\ x0017J4\x0005K\x0007/m\x0018nx*1_&q\x0011\x0007e;zP|\x001d\x0006)]M7%`;+Am{S9\x0010WnbX\x000b0@\ x000eT\x0004v\x0005\x0019Oa3f\x0010 4wr}]\x0000[/jpuz$8Qm4%\x0000Z{*5Q_{8LIU [HP\x0017\x0004 XVz$<07\ x0012Pg`Ih\x000c#R&\x00181d\x001f*\x0001jj8]\x0014zN\x0013A\x0018v9~m~\x0002bzg\x0010O>\x0001[b'\x000b{\x 000f=H]s2H!7p:\x0010\x00194q\x0010WZ\x0016\x0013D \x0000 OY\x0013T\x0019AU&fT}\x 0001o\x00158='8'\x0015x\x001d\x0001g\x0014\x0010lZ\x0003\x001fo\x0001q\x0007q\x001a%a's{9a0\x00151&U3"\ x0017m\x0001\x000c*XxZ*3O"\x0013\x001c9t%w\x0016\x000e\x001603@tSf`qx1\x0006 \x001d"x\x000f\x0016i\EYAvs /\x001aV\x0017\F`\x001e\x0001GB\x0015y3xa }gJ(L!\x00120\x0015A\x0013NS &=G1vC\x000f\x0011sU[w3s\x0012N\x0019OD\x0012V? \\x0008FoG Hk%->\x000b1l'9t[\\x001fEu\x0004\x0015\x0014T\x0007\x001cD\x0016n}q0yo\x000bzpo\x0007`\x0017.\ x0003yqK~\x0014I?TPf]YA&\x0012\x0003x!\x0018\x0016{AGp\x00145&tP\x0013R}*\x000bf>E?\x001bErY>l[r X {(\x0002Dj40\x000c[\x000b\x0010 o`$6'@t9:`$\x001cPo\x0003\x0011=j>*i\x001e19(Ip8wLzX<p\x0019vE}\x0002 /(Iz\x0015V5W\x0008oO\x0015Q\x001ain9y:\x001a\x0014\x000fX\x001eA:m/`$\x0002K*K\x000c:\x0000X1@\ x001b'b5.\x000c_\x0015\x00134V&Mm;k4f\x0014*{bz>\x000b\x0007Hz \x000eqbanf'h\x0004}ob^ M=E \x000eXUAC\x001a\x0017$k\x0014\x0003_7\x001c}J\x000e\x0011MRlg\x000e\x0002:&U\ x0007KtI\x0018\x001a\x000cy?3:S8\x0011\x001e!A-Z4Pf\x00170\x00088YrD\x0019~ ETC Too Many long Solution Instance 1 Make sure that the Source Code application is not enabled withalternative extensions, and make sure that the source code does not is present within other files or data displayed to the web server,or served by the web server. IV. CREDITS------------------------- This vulnerability has been discovered by Juan Carlos García (@secnight) VII. LEGAL NOTICES------------------------- The Author accepts no responsibility for any damagecaused by the use or misuse of this informat