The following advisory is also mirrored at http://www.fribble.net/security.php --------------- 02/02/2005 --------------- -- Fribble.net Security Announcement -- ------------------------------------------ Security Advisory: SQL injection and path disclosure in EveryDNS.net service Discovered by: Calum Power [Enune] Versions Affected: <= 24/01/2005 Unaffected versions: > 25/01/2005 Product Description: EveryDNS.net is a free, online DNS service. From vendor website: "We provide static DNS services as well as many advanced services such as Dynamic DNS resolution, Secondary service, AXFR service, and domain2web redirection." Summary: * SQL Injection vulnerability may lead to viewing of secure information, including access to private DNS accounts. * Path disclosure provides privileged information to potentially malicious users, which could be used in an attack. Details: The main EveryDNS website script, 'index.php' has a blue login form in the bottom left corner of the page. All data in this form is sanitized, except for the 'username' field. When unexpected characters, such as single-quotation marks are submitted using this field, a SQL error may occur, disclosing the location of the EveryDNS.net scripts on their webserver. Additionally, due to the unfiltered nature of this form field, a malicious user may be able to manipulate the database query into providing them with access and/or information they would not otherwise be authorized to see. Impact: Critical This vulnerability could lead to the compromise of private DNS accounts, including records and zone information. If a malicious user was to gain access to a private account, he/she would be able to 'hijack' the domain via the redirection of the domain records to an internet server under their control. Credit: This vulnerability was discovered by Calum Power [Enune] on the 24th day of January 2005. The vendor was subsequently notified and the hole fixed within 24-hours. Calum would like to thank David Ulevitch for his prompt response to this advisory, and commends the EveryDNS service on it's great service to the internet community. Copyright: 2005 Calum Power (Enune) - www.fribble.net This advisory may be quoted, transmitted or copied in any way, providing this original author credit is kept intact. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html