Kevin Froman's blog

Blog on security, programming, & other musings

Hijacking Gandi.net Domains And Servers

2017-07-24

Gandi.net, a popular domain registrar and hosting provider used by somewhat high profile organizations, such as the EFF and Free Software Foundation, had an XSS vulnerability on its main domain name (www.gandi.net).

This also happens to be where domain DNS settings are managed, along with other account settings and server hosting.

Gandi logo

The vulnerability

Specifically, the password reset form, which is accessible even if you are logged in, did not have any protection against CSRF which allowed for other websites to submit requests to the page on behalf of the user.

The page also echoed back your Gandi ID if it was incorrect, which I found was vulnerable to XSS. It was not a completely obvious vulnerability, as the echoed back ID was in all uppercase, which required me to use JSFuck to encode my payload.

This issue is unrelated to the Gandi hack that also happened recently.

Impact

Using the vulnerability, I could have potentially hijacked domains or hosting instances by modifying DNS settings, by having users click malicious links or visit a malicious page with the payload, which would be substainally worse than social engineering alone, as the attack would not be obvious or noticeable at first.

Reporting the issue & Conclusion

I reported the issue to Gandi, who had a fix in production within 48 hours, and rewarded me a t-shirt. I will add a photo of the shirt once I obtain it.

Gandi is not the cheapest registrar or hosting provider, but they are a well established and ethical company. I would recommend them to anyone who wants an ethical host or registrar.

Written by anonymous