One.com CSRF and XSS
About a year ago I found a few vulnerabilities on the one.com website. For those of you that don't know, one.com is a fairly big and cheap hosting provider in Scandinavia. I reported the issues, but some have not been fixed yet. Since it's been so long and one.com went silent in our communication, I've decided to disclose the following vulnerabilities.
They're old and mostly don't work any longer, but they might be interesting still.
At first, pretty much every function on the site for administrating your website was vulnerable to CSRF. I made a basic demo which changed the DNS settings of the user's site which I sent to the staff.
This vulnerability was confirmed and was fixed pretty early.
Another vulnerabilty was in a redirect function which took the user from the admin interface at one.com/admin/ to the phpmyadmin interface. As a nice user-friendly touch it bypasses the authentication by the means of a generated ticket which it sent attached to a custom url in the phpMyAdmin application. By manipulating the url I managed to send the authentication ticket to my own server instead. Using CSRF I could then harvest a live ticket from a users session to gain access to their phpMyAdmin instance.
The url it redirects to contained a basic php script to dump the ticket from url and display a nice picture to lull the user. This way the image tag still loaded too. Yay!
Using the ticket you could then gain access at the original redirect endpoint to the PHPMyAdmin site.
I also found some XSS in the premade blog and gallery websites which one.com provides for you. These are likely not enabled by the user though and the ones I found were reflected via POST. Here is an example exploit:
Contact attempt #1: 2013-03-21 CSRF.
One.com response: 2013-03-21 Confirmed issue.
PHPmyAdmin CSRF and minor xss: 2013-03-23
Contact attempt #2 after no fix: 2013-04-21
Queue nearly a year of no changes
The CSRF holes I found have been fixed or deprecated/removed in the new admin-interface. The minor XSS still remains to be fixed.