Uberspace is a web-hosting company with a special offer. Instead of selling boring “webpanels” they’re offering direct access via SSH. Another cool thing is that you can choose the price you want to pay for the service and the really epic support. That’s why we’re hosting our website (internetwache.org) on their systems.
This friday (26th of april 2013) we had a look on the simple webpanel. In the end we had a couple of CSRF, XSS and open redirect issues on the list.
The CSRF issue existed because of missing csrf tokens in various actions in the webpanel. A lot of requests passed a “return_to” parameter, which redirected a user to the given location after successful execution. The URL was not validated correctly, thus allowing someone to redirect you to other domains. Much more interesting was the XSS we have found. There was a list of all active email accounts and also the opportunity to edit or delete those accounts. These actions were trigger by some javascript:
1
| |
The last part of the filename from the .qmail-file (here: .qmail-EMAILTITEL) was used to create the link. To exploit the vulnerability you just had to put some special chars to the end of the emailaddressfile. On a linux system this is very easy:
1
| |
After you have refreshed the webpanel there the following link was generated:
1
| |
Unfortunately this exploit was colliding with the fade-in jquery-call, so the link was invisible, but still clickable. One click on a invisible link would trigger the eventlistener just as well our injected code. Nevertheless, the attacker would have needed shell access to the corresponding Uberspace account to create the tainted qmail file.
After we send an email at 8 am in the morning to the “Ubernauten”, we got a response from the operator Jonas Pasche right after a few hours. He told us that we had changed his plan for this day and that he’ll implement all necessary countermeasures. It just took him about 6 hours (!) to fix everything and give us a detailed overview in an long email.
We want to give back the thanks we got for the report along with a prize for the fastest fix so far.
We can sincerely recommend Uberspace: a competent team, great service and powerful webhosting. With this recommendation we would like to complete this case.
The team of internetwache.org