Dashboard

Other

Severity: Informational
Bug ID: 707
Researcher: behroz
Status: Disclosed
Submitted: 10/06/2015

Description:

I checked SPF records for the www.crowdshield.com where in the DNS Resource Records, Mx Record crowdshield.com can be spoofed easily or even SMTP relay can result in sending un-authorized emails from crowdshield.com mail domain.

Affected URL:

https://crowdshield.com

Affected Params:



Bug Evidence:

POC

An SMTP Relay can easily send an unauthorized email from "anything" @crowdshield.com domain for example [email protected] stating that Due to security reasons please Re-enter your password // or may say that you have been rewarded from crowdshield.com and to get reward please click below. A normal user will believe it as it is from the crowdshield.com mail server therefore, user would blindly believe and will fall for this trick.

After User click the link there are many devastating possibilies which can be achieve by the attacker who would spoof as crowdshield.com authentic person.

For example PHP language can be used to send email from crowdshield.com domain. SMTP relay is possible

<?php
$to = "[email protected]";
$subject = "Change your Password ";
$txt = "Change your password by visiting here - [VIRUS LINK HERE]l";
$headers = "From: [email protected]";
mail($to,$subject,$txt,$headers);
?>


Bug Recommendation:

when user clicks at the link, user would be redirected to the attackers website which may result in stealing crowdshield.com account session ID hence a session would be hijacked and attacker would easily get access to victims account there fore he could read public + private information for that particular account. As the problem was in your mail exchange server. It would impact in your "Reputed Loss" as customers would lost faith in you hence reducing your productivity. Infact if the attacker is even evil then user might get infected in a bad way. After clicking on attackers link , a trojan would get installed in Victims system which would create a back door for attacker to Remotely access his system and there are other devastating possibilities as well. If you need a checksum for this vulnerability you could use one of the email spoofing tools that are available online. I tried to send from [email protected] to my email address to verify, I recieved Email address from [email protected] your spf records for crowdshield.com: v=spf1 include:spf.mandrillapp.com ?all it should be : v=spf1 include:spf.mandrillapp.com -all in your SPF record you should replace ? with - at last before all , - is strict which prevents all spoofed emails except if you are sending. Your bug is that you are using ? , you should use -

Screenshot:



Direct Chat

5
behroz 10/06/2015
Message User Image
submitted a Other bug to CrowdReport
CrowdReport 10/06/2015
Message User Image
Thanks, this is fixed now but in the future, please submit to the CrowdShield bug bounty program for proper rewards/triage. https://crowdshield.com/bug-bounty-list.php?bug_bounty_program=crowdshield
CrowdReport 10/06/2015
Message User Image
awarded 10 points to behroz for a Other bug
CrowdReport 10/06/2015
Message User Image
closed a Other bug submitted by behroz
CrowdReport 10/06/2015
Message User Image
disclosed a Other bug submitted by behroz

Pending Bugs

ID Severity Vulnerability User Date Status
692High Authentication Bypass dia2diab 07/01/2015 Disclosed
778High Privilege Escalation poseidon 08/24/2018 Disclosed
641High Privilege Escalation daksh 12/05/2014 Disclosed
744High Privilege Escalation realn0j 09/06/2017 Disclosed
670High Remote Code Execution zoczus 05/06/2015 Disclosed
593Medium Buffer Overflow rockcena 12/01/2014 Disclosed
578Medium Cross Site Request Forgery sandeepv 11/30/2014 Disclosed
580Medium Cross Site Request Forgery sandeepv 11/30/2014 Disclosed
659Medium Reflected Cross Site Scripting pratap 12/16/2014 Disclosed
742Low Application Errors guifre 07/29/2017 Disclosed
724Low Session Security and Cookies testingcs 04/24/2016 Disclosed
706Informational Other zediwon 09/28/2015 Disclosed
707Informational Other behroz 10/06/2015 Disclosed