Users login

Create an account »


Users login

Home » Hacking News » ZoneEdit Account Hijack Vulnerability

ZoneEdit Account Hijack Vulnerability

by Nikola Strahija on November 5th, 2002 This advisory is based on legitimate use of a ZoneEdit account, during which time the vulnerability detailed below was discovered. This document is subject to change without prior notice. The webmasters of this site were informed of this vulnerability on 05 November 2002. To date, no useable information on protecting against this vulnerability has been received. If anyone reading this is aware of any further information relating to this vulnerability, please contact the authors below or report via BugTraq.

I. Background

While designing a dynamic dns client to work with ZoneEdit's
control panel to be used with one of our domains for the
public to have free dynamic DNS hostnames we noticed the bug
in the eMail forward section of the ZoneEdit control panel.

II. Problem Description

By having an account on the ZoneEdit server (which is free),
once logged in a user may use the Authorization section of the
HTTP header which allows you to access the protected section.
A user can issue a mail formed command that will Edit web/eMail
forwards or delete eMail forwards. As this is based upon the
ID value in the ZoneEdit database, a user is unable to simply
select a domain to edit - the user needs to guess an ID. Whilst
this is not as insecure as knowing the ID for a domain, it is
still possible to utilise the vulnerability in an arbitrary way.

III. Impact:

ZoneEdit hosts the DNS records for a considerable number of
domains. If an individual or group were to code an automated
tool to automatically modify all ID values in the database,
then thousands of websites could be maliciously forwarded
elsewhere and eMail could be redirected to an alternative mail
box which would allow the attacker to read private eMails.

IV. Solution

We can not be certain of a solution at this time since we
do not have access to the source code of the ZoneEdit
control panel. The IP address section of the control panel
seems to be protected from the vulnerability so it's possible
the developers have failed to add security into the webforward
and eMail forward sections. We strongly recommend the scripts are
reviewed ASAP to ascertain why some scripts are protected
and some are not. Also, each page should check against the
database that the account which is being used is actually allowed
access to the page before any of the page/code is executed.

V. Contact & Credits

[email protected] - Matt Thompson [Proof of Concept]
[email protected] - Paul Smurthwaite

VI. Source code

Source code has not been published for security reasons as
it is a single server problem which controls many other web
sites DNS and would result in a mass attack.

A Proof of Concept tool can be provided at short notice on request.

- -ends-

Matt Thompson

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »