Mail.Ru - HackerOne Bug Reports

Public Mail.Ru bug reports.

4,419 Bug Reports - $2,030,173 Paid Out
Last Updated: 12th September, 2017

Team	Bounty	Title
Mail.Ru	-	Open Redirect on [My.com]
Mail.Ru	$100	BruteForce Any [My.com] Account Credentials.
Mail.Ru	$150	XSS в портальной навигации
Mail.Ru	$500	Xss в https://e.mail.ru/
Mail.Ru	$500	Xss в https://e.mail.ru/
Mail.Ru	-	IDOR in tender.mail.ru leading to Information Disclosure
Mail.Ru	-	Open Redirection at https://it.mail.ru/
Mail.Ru	-	Open Redirect
Mail.Ru	$750	Stored XSS in e.mail.ru (payload affect multiple users)
Mail.Ru	-	Reflected XSS on frag.mail.ru
Mail.Ru	-	Stored XSS
Mail.Ru	-	Open Redirect
Mail.Ru	-	Disclosure of information on static.dl.mail.ru
Mail.Ru	-	CSRF Send a message at street-combats.mail.ru
Mail.Ru	-	Излишние права при авторизации через интерфейс mail.ru
Mail.Ru	-	[ml.money.mail.ru] Open Redirect
Mail.Ru	-	[cooking.lady.mail.ru] Open Redirect
Mail.Ru	-	[element.mail.ru] /.svn/entries
Mail.Ru	-	[qpt.mail.ru] CRLF Injection / Open Redirect
Mail.Ru	-	[pokerist.mail.ru] XSS Request-URI
Mail.Ru	-	[allods.mail.ru] Cross-Site Request Forgery (Add-Item)
Mail.Ru	$300	Time-based sql-injection на https://puzzle.mail.ru
Mail.Ru	-	Reflected XSS @ games.mail.ru
Mail.Ru	-	[cfire.mail.ru] CSRF Bypassed - Changing anyone's 'User Info'
Mail.Ru	-	[realty.mail.ru] XSS, SSI Injection
Mail.Ru	-	[opensource.mail.ru] system accounts enumeration
Mail.Ru	-	Cross Site Request Forgery (CSRF)
Mail.Ru	-	Back Refresh Attack after registration and successful logout
Mail.Ru	-	BRUTE FORCE ATTACK
Mail.Ru	$150	[townwars.mail.ru] Time-Based SQL Injection
Mail.Ru	$250	Mail.ru for Android Content Provider Vulnerability
Mail.Ru	$150	[tidaltrek.mail.ru] SQL Injection
Mail.Ru	$150	Code source discloure & ability to get database information "SQL injection" in [townwars.mail.ru]
Mail.Ru	$150	[tidaltrek.mail.ru] SQL Injection
Mail.Ru	-	[sales.mail.ru] CRLF Injection
Mail.Ru	-	Insecure cookies without httpOnly flag set
Mail.Ru	$100	[my.mail.ru] HTML injection в письмах от myadmin@corp.mail.ru
Mail.Ru	$160	[upload-X.my.mail.ru] /uploadphoto Insecure Direct Object References
Mail.Ru	-	[torg.mail.ru] CRLF Injection
Mail.Ru	$150	SQL Injection
Mail.Ru	-	AXFR на plexus.m.smailru.net работает
Mail.Ru	$250	XSS с помощью специально сформированного файла.
Mail.Ru	-	Обход basic авторизации [qpt.mail.ru]
Mail.Ru	-	Reflected XSS на games.mail.ru
Mail.Ru	$200	bgplay.mail.ru
Mail.Ru	$150	By pass admin panel [conference.mail.ru]
Mail.Ru	$150	By pass admin panel [seminars.mail.ru]
Mail.Ru	-	Утечка информации через JSONP (XXSI)
Mail.Ru	$500	Admin panel access restrictions bypass [poll.mail.ru/admin/]
Mail.Ru	-	Stored XSS на street-combats.mail.ru
Mail.Ru	$250	SSRF на element.mail.ru
Mail.Ru	$600	VERY DANGEROUS XSS STORED inside emails
Mail.Ru	$150	[3k.mail.ru] SQL Injection
Mail.Ru	$300	[orsotenslimselfie.lady.mail.ru] SQL Injection
Mail.Ru	-	[touch.lady.mail.ru] CRLF Injection
Mail.Ru	-	[api.login.icq.net] Reflected XSS
Mail.Ru	-	[api.login.icq.net] Open Redirect
Mail.Ru	$300	[afisha.mail.ru] SQL Injection
Mail.Ru	-	Logical Vulnerability : REDIRECTING on pw.mail.ru by Parameter Spoofing
Mail.Ru	$150	[allods.my.com] SSRF / XSPA
Mail.Ru	-	[3k.mail.ru] Content Spoofing
Mail.Ru	-	Multiple vulnerabilities in mail.ru subdomains
Mail.Ru	$150	[parapa.mail.ru] SQL Injection
Mail.Ru	$150	[cfire.mail.ru] Time Based SQL Injection
Mail.Ru	-	XSS at forum :
Mail.Ru	$500	reflected in xss
Mail.Ru	-	Reflected XSS on hi-tech.mail.ru
Mail.Ru	-	[tz.mail.ru] XSS в функционале авторизации
Mail.Ru	-	[w1.dwar.ru] Core Dump
Mail.Ru	-	[gitmm.corp.mail.ru] Auth Bypass, Information Disclosure
Mail.Ru	-	[otus.p.mail.ru] CRLF Injection
Mail.Ru	-	[otus.p.mail.ru] Full Path Disclosure
Mail.Ru	-	[opensource.mail.ru] Debug Mode
Mail.Ru	$300	Potential SSRF in sales.mail.ru
Mail.Ru	-	[allods.my.com] Full Path Disclosure
Mail.Ru	-	[allods.my.com] Full SQL Disclosure
Mail.Ru	-	[it.mail.ru] Open Redirect
Mail.Ru	-	Reflected XSS.
Mail.Ru	-	[allods.mail.ru] Reflected XSS
Mail.Ru	$300	[api.allodsteam.com] Authentication Data
Mail.Ru	-	Reflected XSS.
Mail.Ru	-	Reflective Xss on news.mail.ru and admin.news.mail.ru
Mail.Ru	-	[ling.go.mail.ru] Server-Status opened for all users
Mail.Ru	-	Reflected XSS на https://aw.mail.ru/news/
Mail.Ru	-	Vulnerability :- "XSS vulnerability"
Mail.Ru	$500	XSS: https://light.mail.ru/compose, https://m.mail.ru/compose/[id]/reply при ответе на специальным образом сформированное письмо
Mail.Ru	-	[support.my.com] Internet Explorer XSS
Mail.Ru	-	[rabota.mail.ru] Open Redirect
Mail.Ru	-	xss на нескольких форумах игр от mail.ru (Cross-Site Scripting)
Mail.Ru	$150	XSS at af.attachmail.ru
Mail.Ru	-	[riot.mail.ru] Reflected XSS in debug-mode
Mail.Ru	-	[start.icq.com] Reflected XSS via Cookies
Mail.Ru	$150	Time-Based Blind SQL Injection Attacks
Mail.Ru	$150	Cross site scripting
Mail.Ru	$160	[my.mail.ru] CRLF Injection
Mail.Ru	$200	Possible xWork classLoader RCE: shared.mail.ru
Mail.Ru	-	[tanks.mail.ru] Internet Explorer XSS via Request-URI
Mail.Ru	-	[mrgs.mail.ru] Internet Explorer XSS via Request-URI
Mail.Ru	$250	[s.mail.ru] CRLF Injection
Mail.Ru	-	help2.m.smailru.net: XSS
Mail.Ru	$150	Activities are not Protected and able to crash app using other app (Can Malware or third parry app).
Mail.Ru	$250	HTML Injection на e.mail.ru
Mail.Ru	-	https://voip.agent.mail.ru/phpinfo.php
Mail.Ru	$150	http://tp-dev1.tp.smailru.net/
Mail.Ru	$200	tt-mac.i.mail.ru: Quagga 0.99.23.1 (Router) : Default password and default enable password
Mail.Ru	$400	http://fitter1.i.mail.ru/browser/ торчит Graphite в мир
Mail.Ru	$400	store-agent.mail.ru: stacked blind injection
Mail.Ru	-	Flash XSS on img.mail.ru
Mail.Ru	$500	e.mail.ru stored XSS in agent via sticker (smile)
Mail.Ru	-	XSS in touch.sports.mail.ru
Mail.Ru	-	XSS in ad.mail.ru
Mail.Ru	-	XSS in realty.mail.ru
Mail.Ru	$300	RCE через JDWP
Mail.Ru	$150	scfbp.tng.mail.ru: Heartbleed
Mail.Ru	$150	HDFS NameNode Public disclosure: http://185.5.139.33:50070/dfshealth.jsp
Mail.Ru	-	Full Path Disclosure
Mail.Ru	$600	Same Origin Policy bypass
Mail.Ru	-	XSS Vulnerability in cfire.mail.ru/screen/1/
Mail.Ru	-	http://217.69.136.200/?p=2&c=Fetcher%20cluster&h=fetcher1.mail.ru
Mail.Ru	$150	Heartbleed: my.com (185.30.178.33) port 1433
Mail.Ru	$150	Hadoop Node available to public
Mail.Ru	$100	Раскрытие номера мобильного телефона при двухфакторной аутентификации
Mail.Ru	-	3k.mail.ru: XSS
Mail.Ru	-	/surveys/2auth: DOM-based XSS
Mail.Ru	-	GET /surveys/2auth: XSS
Mail.Ru	$100	No bruteforce protection leads to enumeration of emails in http://e.mail.ru/
Mail.Ru	-	[odnoklassniki.ru] XSS via Host
Mail.Ru	$250	[connect.mail.ru] Memory Disclosure / IE XSS
Mail.Ru	-	Нежелательная информация
Mail.Ru	$500	Ошибка фильтрации
Mail.Ru	-	Flash XSS на old.corp.mail.ru
Mail.Ru	$200	OpenSSL HeartBleed (CVE-2014-0160)
Mail.Ru	-	Авторизуюсь от имени любого пользователя parapa.mail.ru
Mail.Ru	-	Выполнение кода PHP через FastCGI
Mail.Ru	$500	touch.mail.ru XSS via message id
Mail.Ru	$1,337	XSS via .eml file
Mail.Ru	-	Не уверен, что этому место на периметре: 94.100.180.95, 94.100.180.96, 94.100.180.97, 94.100.180.98
Mail.Ru	$150	money.mail.ru: Странное поведение SMS
Mail.Ru	-	Version Disclosure (NginX)
Mail.Ru	$150	cloud.mail.ru: File upload XSS using Content-Type header
Mail.Ru	$1,000	e.mail.ru: File upload "Chapito" circus
Mail.Ru	-	files.mail.ru: HTTP Header Injection
Mail.Ru	$100	m.agent.mail.ru: Подделываем j2me app-descriptor
Mail.Ru	-	target.mail.ru: XSS через Referer
Mail.Ru	-	target.mail.ru: XSS
Mail.Ru	$3,000	Possibility to attach any mobile number to any email
Mail.Ru	-	tp-demo1.corp.mail.ru: SVN наружу торчит
Mail.Ru	-	my.mail.ru: HTTP Header Injection
Mail.Ru	$400	e.mail.ru: SMS spam with custom content
Mail.Ru	-	Cross Site Scripting
Mail.Ru	-	Раскрытие полного серверного пути
Mail.Ru	$150	SQL Injection on 11x11.mail.ru
Mail.Ru	-	Reflected XSS
Mail.Ru	-	Перечисление каталогов за счёт уязвимости в IIS
Mail.Ru	-	[corp.mail.ru] CRLF Injection / Insecure nginx configuration
Mail.Ru	-	Flash XSS in http://go.mail.ru
Mail.Ru	-	Flash XSS in http://lingvo.mail.ru
Mail.Ru	-	Flash XSS - http://hi-tech.mail.ru/
Mail.Ru	-	XSS in "About Video"
Mail.Ru	$300	connect.mail.ru: SSRF
Mail.Ru	$1,000	https://217.69.135.63/rb/: money.mail.ru sources disclosure
Mail.Ru	-	touch.afisha.mail.ru: XSS
Mail.Ru	-	files.mail.ru: XSS
Mail.Ru	-	api.video.mail.ru: XSS
Mail.Ru	-	(m.mail.ru) Password type input with auto-complete enabled
Mail.Ru	$500	auth.mail.ru: XSS in login form
Mail.Ru	-	Reflected XSS connect.mail.ru (IE6-IE8)
Mail.Ru	-	Reflected XSS in User-Agent
Mail.Ru	-	Раскрытие путей сервера за счёт неопределённого индекса в сценарии /home/berserk-online.com/public_html/forum/Themes/berserker/Profile.template.php
Mail.Ru	$500	XSS in a file or folder name
Mail.Ru	$700	XXE and SSRF on webmaster.mail.ru
Mail.Ru	$150	Stored XSS on http://cards.mail.ru
Mail.Ru	$300	Stored XSS on http://top.mail.ru
Mail.Ru	$250	SQL injection update.mail.ru
Mail.Ru	$400	XSS in https://e.mail.ru/cgi-bin/lstatic (Limited use)
Mail.Ru	-	Content Spoofing vulnerability in Mail.ru mobile
Mail.Ru	$150	SQL inj
Mail.Ru	-	Persistent XSS in afisha.mail.ru
Mail.Ru	$150	SQL
Mail.Ru	$150	SQL inj
Mail.Ru	-	Login without SSL-Protection
Mail.Ru	$200	Time based sql injection
Mail.Ru	$200	SQL injection [дырка в движке форума]
Mail.Ru	$250	Home page reflected XSS
Mail.Ru	-	Unproper usage of Mobile Number that will lead to Information Disclosure
Mail.Ru	-	No CSRF token used in Phone Verification POST
Mail.Ru	$150	localStorage не чистится после выхода
Mail.Ru	-	Admin panel of http://tp-test1.corp.mail.ru/ is acccessible publicly
Mail.Ru	$150	Clickjacking
Mail.Ru	-	Reflected XSS
Mail.Ru	-	Clicjacking on Login panel
Mail.Ru	-	Xss On http://my.mail.ru/
Mail.Ru	-	rs.mail.ru - Flash Based XSS