1. Forum
  2. USENET
  3. comp.protocols.dns.bind

  • Re: Fwd: DNS Misconfiguration on- http://cyberia.net.sa/

    From Matus UHLAR - fantomas@uhlar@fantomas.sk to bind-users on Fri Jun 5 11:23:05 2020
    From Newsgroup: comp.protocols.dns.bind

    On 05.06.20 11:54, Ejaz Ahmed wrote:
    Some one is is claiming that our name server 212.118.64.2 is vulnerable
    with below information is this true

    it's not the nameserver. It's the domain "cyberia.net.sa" that has
    "localhost" in it pointing go 127.0.0.1

    This is useless. The localhost hostname should not exist in domains other
    than "localhost." that should be configured on recursive servers.

    Any suggestions would be appreciated

    simply remove the "localhost" record from cyberia.net.sa and possibly other domains.

    Dear CYBERIA GROUP Security Team ,

    I Rahul a Ethical Hacker and Security Researcher. I found a vulnerability
    on your website that is DNS Misconfiguration .

    Your *localhost.cyberia.net.sa <http://localhost.cyberia.net.sa> *has >address 127.0.0.1 and this may lead to "Same- Site" Scripting. I can also >ping the localhost network.


    Here is detailed description of this minor security issue :* >http://www.securityfocus.com/archive/1/486606/30/0/threaded ><https://hackerone.com/redirect?signature=f22656dd5afea782410979cdd3fbb951f819c82e&url=http%3A%2F%2Fwww.securityfocus.com%2Farchive%2F1%2F486606%2F30%2F0%2Fthreaded>*

    *Find attached POC Video. *

    *Dear Team Waiting for your response and I want bounty(money) with an >Appreciation letter for my work and effort which I have given for *


    *Thanks in advance *
    *Ejaz *
    --
    Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
    Warning: I wish NOT to receive e-mail advertising to this address.
    Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. REALITY.SYS corrupted. Press any key to reboot Universe.
    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From Fred Morris@m3047@m3047.net to bind-users@lists.isc.org on Fri Jun 5 09:16:37 2020
    From Newsgroup: comp.protocols.dns.bind

    Hrmmm... I'm reminded of something else I've seen reported on recently...

    On Fri, 5 Jun 2020, Ejaz Ahmed wrote:
    localhost.cyberia.net.sa

    I don't know if you've been paying attention, but it's been reported that among others EBay has been port scanning visitor's devices [0]. Having localhost.ebay.com could be handy for them in terms of circumventing some rules on setting of cookies and the execution of scripts. Not saying
    that's what they're doing, heaven forbid.

    Any domain you visit could have entries in it which point to e.g.
    localhost or nonrouting addresses commonly used for gateways, things like that.

    This is not a DNS problem, it's a problem in what commonly used programs
    aid and abet in the name of "freedom of commerce" or something.

    --

    Fred Morris

    --

    [0] https://www.bleepingcomputer.com/news/security/ebay-port-scans-visitors-computers-for-remote-access-programs/

    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From Lee@ler762@gmail.com to Fred Morris on Fri Jun 5 20:33:21 2020
    From Newsgroup: comp.protocols.dns.bind

    On 6/5/20, Fred Morris <m3047@m3047.net> wrote:
    Hrmmm... I'm reminded of something else I've seen reported on recently...

    On Fri, 5 Jun 2020, Ejaz Ahmed wrote:
    localhost.cyberia.net.sa

    I don't know if you've been paying attention, but it's been reported that among others EBay has been port scanning visitor's devices [0]. Having localhost.ebay.com could be handy for them in terms of circumventing some rules on setting of cookies and the execution of scripts. Not saying
    that's what they're doing, heaven forbid.

    Any domain you visit could have entries in it which point to e.g.
    localhost or nonrouting addresses commonly used for gateways, things like that.

    This is not a DNS problem, it's a problem in what commonly used programs
    aid and abet in the name of "freedom of commerce" or something.

    It's possible to block with rpz & something else that I can't recall
    right now. I did RPZ blocking first, so I didn't bother changing

    ; return NXDOMAIN for any 127.0.0.0/8 answers
    ; exceptions:
    onea.net-snmp.org CNAME rpz-passthru.
    twoa.net-snmp.org CNAME rpz-passthru.
    localhost CNAME rpz-passthru.
    8.0.0.0.127.rpz-ip CNAME . ; 127.0.0.0/8
    ; check:
    ; localhost 127.0.0.1
    ; onea.net-snmp.org 127.0.0.1
    ; twoa.net-snmp.org 127.0.0.2 127.0.0.3

    All my other host names that used to return 127.0.0.1 answers don't
    any more :( Anyone know some valid names I can use for testing?

    Lee
    --- Synchronet 3.21d-Linux NewsLink 1.2