Cenzic 232 Patent
Paid Advertising
web application security lab

1&1 Internet Customers Vulnerable to XSS

John Smith sent me this this link to a writeup on customers who are hosted at 1&1 Internet are vulnerable to XSS. The technique is simple, but it comes from the way in which they present ads based on detection of a file not found. They pop up an iframe based on file name which you can jump out of pretty easily. Not so good. I’m not sure what sort of customers 1&1 Internet provides service for but I’d be unhappy if I were a customer there. Apparently this only applies to Sedo parking prior to a certain date, and also doesn’t apply to users who use custom 404 pages (which I generally prefer to do, personally).

This brings up an interesting point though about the use of third party advertising and how that can be used to do wide scale XSS exploitation. In this case it’s no different, except instead of it being a Dom based XSS like it would normally have to be, the server does a reflection for you. Odd problem. I’ve ran into similar problems with hosting providers that put log files for all their customers in the same predictable location. So finding their customers is the only hard part. Getting their logs is easy! Nice find!

4 Responses to “1&1 Internet Customers Vulnerable to XSS”

  1. Gareth Heyes Says:

    Custom error pages only work for static files on 1and1. They have adverts hardcoded into the apache configuration. The only workaround is to use rewrite rules to bypass this:-

    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule (.*) /errordocument.html

    http://www.faq.1and1.com/scripting_languages_supported/configuring_apache_server_using_htaccess/2.html

  2. LArs Says:

    How can you break out from an iframe located on another domain?

  3. Jeff Says:

    You can turn off Sedo Parking in the 1and1 control panel, and instead get a 404 page like this: Error 404 - Not found

    Your browser can’t find the document corresponding to the URL you typed in.

  4. eg33k Says:

    i spoke with a team leader for 2nd level support and he claims any vulnerability was not widespread and was fixed by Sedo/1&1.

    cheers.