from the all-your-sites-are-belong-to-us dept.
Popular Web-Hosting Platform Bluehost Riddled with Flaws, Researcher Claims:
He said that similar flaws were also found in the Dreamhost, HostGator, OVH and iPage web hosting platforms.
A researcher claims to have uncovered one-click client-side vulnerabilities in the popular Bluehost web hosting platform. These would allow cybercriminals to easily carry out complete account takeover, according to the analysis.
Independent researcher and bug-hunter Paulos Yibelo, working with Website Planet, set up a testing site with Bluehost, which powers more than 2 million sites around the world according to its "About Us" page. He found multiple account takeover and information leak vulnerabilities in the platform, as well as a lack of password verification when changing account credentials.
The highest-severity problem that Yibelo uncovered was a misconfiguration of cross-origin-resource-sharing (CORS), which allows websites to share resources across their domains.
[...] A second, moderately-high flaw would allow account takeover because of improper JSON request validation, opening the door to cross-site request forgery (CSRF). The vulnerability allows attackers to change the email address of any Bluehost user to the address of their choice, and then reset the password using their new email to gain complete access to the victim's account. The attack is executed when a victim clicks a single malicious link or visits a single malicious website, according to Yibelo.
[...] A third, also moderately high vulnerability would allow account takeover by way of cross-site scripting (XSS). Yibelo determined that this (demonstrated in a proof-of-concept, here [0]) is exacerbated by the fact that Bluehost does not require a current password when changing one's email address, so an attacker can simply perform CSRF attack using this XSS vulnerability to take over any account; and, Bluehost doesn't have any HttpOnly flags on sensitive cookies, which means any JavaScript can access them and send them to a malicious attacker, and the attacker can use these cookies to authenticate as the user.
[...] And finally, a medium-severity issue arises because of improper CORS validation, which allows a man-In-the-middle attack.
[...] Threatpost reached out to Bluehost for comment on the findings, and will update this post with any response.
[...] It's worth noting the Bluehost isn't alone here – Yibelo said that similar flaws were also found in the Dreamhost, HostGator, OVH and iPage web hosting platforms.
[ 0Proof-of-concept: https://my.bluehost.com/cgi/dm/subdomain/redirect?domainkey="><script>alert(document.domain)</script> ]
[Update: Corrected above PoC by removing an extraneous space from "(document.d omain)" --martyb]
(Score: 2) by pkrasimirov on Tuesday January 15 2019, @12:02PM (2 children)
Does not work:
* alert(document.d" rel="url2html-18018">https://my.bluehost.com/cgi/dm/subdomain/redirect?domainkey=”>alert(document.d omain)
* alert(document.domain)" rel="url2html-18018">https://my.bluehost.com/cgi/dm/subdomain/redirect?domainkey=”>alert(document.domain)
* alert('hi')" rel="url2html-18018">https://my.bluehost.com/cgi/dm/subdomain/redirect?domainkey=”>alert('hi')
It gets send back to the browser but it is properly escaped:
(Score: 3, Touché) by pkrasimirov on Tuesday January 15 2019, @12:21PM
Funny even SN could not handle the below text:
When pasted directly it shows:
(Score: 2) by rob_on_earth on Tuesday January 15 2019, @01:31PM
The bugs, now fixed -- according to Yibelo's writeup
https://www.websiteplanet.com/blog/report-popular-hosting-hacked/ [websiteplanet.com]
"It’s also important to note that during our process, Bluehost red-flagged our account and closed it down unceremoniously. No exact reason was given; however, since it was done after the hack was completed, we can only assume it is because they saw what we were doing. Good job, Bluehost… but a little too late."
(Score: 0) by Anonymous Coward on Tuesday January 15 2019, @12:04PM
...about possible patent violation.