|
|
|
|
| |
This advisory is based on legitimate use of a ZoneEdit account, during which time the vulnerability detailed below was discovered. This document is subject to change without prior notice.
The webmasters of this site were informed of this vulnerability on 05 November 2002. To date, no useable information on protecting against this vulnerability has been received. |
| |
Credit:
The information has been provided by [secondmotion]-Matt Thompson.
|
| |
Background:
While designing a dynamic DNS client to work with ZoneEdit's control panel to be used with one of our domains for the public to have free dynamic DNS hostnames we noticed the bug in the email forward section of the ZoneEdit control panel.
Problem Description:
By having an account on the ZoneEdit server (which is free), once logged in a user may use the Authorization section of the HTTP header which allows you to access the protected section. A user can issue a mail formed command that will Edit web/email forwards or delete email forwards. As this is based upon the ID value in the ZoneEdit database, a user is unable to simply select a domain to edit - the user needs to guess an ID. Whilst this is not as insecure as knowing the ID for a domain, it is still possible to utilize the vulnerability in an arbitrary way.
Impact:
ZoneEdit hosts the DNS records for a considerable number of domains. If an individual or group were to code an automated tool to automatically modify all ID values in the database, then thousands of websites could be maliciously forwarded elsewhere and email could be redirected to an alternative mail box which would allow the attacker to read private emails.
|
|
|
|
|
|
|
|
|
|
