ZoneEdit Account Hijack Vulnerability

Type securityvulns
Reporter Securityvulns
Modified 2002-11-06T00:00:00



===================================================================== secondmotion-SM-SA-02-02 Security Advisory ===================================================================== Topic: ZoneEdit Account Hijack Vulnerability Announced: 2002-11-05 Updated: 2002-11-05 Tested on: Accounts Not affected: Obsoletes: =====================================================================

This advisory is based on legitimate use of a ZoneEdit account, during which time the vulnerability detailed below was discovered. This document is subject to change without prior notice.

The webmasters of this site were informed of this vulnerability on 05 November 2002. To date, no useable information on protecting against this vulnerability has been received.

If anyone reading this is aware of any further information relating to this vulnerability, please contact the authors below or report via BugTraq.

I. Background

    While designing a dynamic dns client to work with ZoneEdit's 
    control panel to be used with one of our domains for the
    public to have free dynamic DNS hostnames we noticed the bug
    in the eMail forward section of the ZoneEdit control panel.

II. Problem Description

    By having an account on the ZoneEdit server (which is free),
    once logged in a user may use the Authorization section of the 
    HTTP header which allows you to access the protected section.
    A user can issue a mail formed command that will Edit web/eMail 
    forwards or delete eMail forwards. As this is based upon the
    ID value in the ZoneEdit database, a user is unable to simply
    select a domain to edit - the user needs to guess an ID.  Whilst
    this is not as insecure as knowing the ID for a domain, it is
    still possible to utilise the vulnerability in an arbitrary way.

III. Impact:

    ZoneEdit hosts the DNS records for a considerable number of
    domains. If an individual or group were to code an automated 
    tool to automatically modify all ID values in the database,
    then thousands of websites could be maliciously forwarded
    elsewhere and eMail could be redirected to an alternative mail 
    box which would allow the attacker to read private eMails.

IV. Solution

    We can not be certain of a solution at this time since we
    do not have access to the source code of the ZoneEdit
    control panel. The IP address section of the control panel
    seems to be protected from the vulnerability so it's possible
    the developers have failed to add security into the webforward 
    and eMail forward sections. We strongly recommend the scripts are 
    reviewed ASAP to ascertain why some scripts are protected 
    and some are not.  Also, each page should check against the
    database that the account which is being used is actually allowed
    access to the page before any of the page/code is executed.

V. Contact & Credits - Matt Thompson [Proof of Concept] - Paul Smurthwaite

VI. Source code

    Source code has not been published for security reasons as
    it is a single server problem which controls many other web
    sites DNS and would result in a mass attack.

    A Proof of Concept tool can be provided at short notice on request.

===================================================================== - -ends-

Matt Thompson

DISCLAIMER & INFORMATION: This e-mail may contain proprietary information, some or all of which may be legally privileged. It is for the intended recipient only. If an addressing or transmission error has misdirected this e-mail, please notify the author by replying to this e-mail. If you are not the intended recipient you must NOT use, disclose, distribute, copy, print, or rely on this e-mail.

Any and all file attachments to this message are scanned at source for viruses. This organisation has a strict policy on the transmission of viruses and will not accept ANY excuse for the receipt of viruses here, as a result of which, any message found to contain viruses will be deleted at this mail server WITHOUT being read. Persistent offenders will be banned from sending email to this domain.

All messages sent from this domain and its specific accounts are digitally signed using our public PGP keys. This is your guarantee that the email you have received actually originated from our domain. More information on PGP can be found at

-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <>

iQA/AwUBPcfSgRqqCKK1Qd1fEQJvjgCdF8mRaud98hPg6wq0u6CJ2eP+yaYAoKM4 kjPodOWrcGoGBN2GmBHLqqRN =y0B0 -----END PGP SIGNATURE-----