Closed
Bug 1267546
Opened 9 years ago
Closed 9 years ago
Subdomain takeover via Github Pages - *.fxosapps.org
Categories
(Websites :: Other, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: griffin.francis.1993, Unassigned)
Details
(Keywords: reporter-external, sec-high, wsec-takeover)
Attachments
(1 file)
|
5.06 KB,
text/plain
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.87 Safari/537.36
Steps to reproduce:
This attack vector utilizes DNS-entries pointing to Service Providers where the pointed subdomain is currently not in use. Depending on the DNS-entry configuration and which Service Provider it points to, some of these services will allow unverified users to claim these subdomains as their own.
Check your DNS-configuration for subdomains pointing to services not in use.
https://labs.detectify.com/2014/10/21/hostile-subdomain-takeover-using-herokugithubdesk-more/
Actual results:
I was able takeover the domain as there was an existing DNS record pointing to a Github record.
Expected results:
The DNS records should be removed if the subdomain is not within use.
|
Reporter | |
Comment 1•9 years ago
|
||
Just to further add to this, it appears to affect all subdomains associated with *.fxosapps.org. There is upwards of 50+ based on what I can see.
|
|
Reporter | |
Updated•9 years ago
|
Summary: Subdomain takeover via Github Pages - http://bluetooth.fxosapps.org/ → Subdomain takeover via Github Pages - *.fxosapps.org
|
||
Updated•9 years ago
|
Keywords: sec-high,
wsec-appmisconfig
|
|
||
Comment 2•9 years ago
|
||
Griffin: Could you please add more details regarding the 50+ subdomains affected? Can you also add some details about how you went about performing a take over on one of the domains? We're aware of similar type issues with Heroku (like mentioned in the article), but want to get as much clarity as possible to understand impact and be able to communicate that to the service owner(s).
|
||
Comment 3•9 years ago
|
||
I've removed the CNAME entries under fxosapps.org pointing to fxos.github.io. I've attached a list of all DNS records which were deleted. The removals will not be visible immediately, it will take approximately 30 minutes for our DNS servers to stop answering these queries.
|
|
Reporter | |
Comment 4•9 years ago
|
||
Hello, what Brian has done has fixed the issue at hand. I was able to claim fxos.github.io as it was valid within Github pages. All I had to do was point it to the relevant domain as indicated here - https://github.com/WHITEHACK-pub/fxos.github.io/blob/gh-pages/CNAME and I would be able to claim it as mine. Please let me know if you would like any additional information.
|
|
Reporter | |
Updated•9 years ago
|
Flags: sec-bounty?
|
||
Comment 5•9 years ago
|
||
Brian, is this correct? Has this issue been resolved?
Flags: needinfo?(bhourigan)
|
|
||
Comment 6•9 years ago
|
||
(In reply to Al Billings [:abillings] from comment #5)
> Brian, is this correct? Has this issue been resolved?
Yes, it has. I just double checked and can confirm the DNS entries listed in attachment 8745645 [details] have been removed. Additionally:
bhourigan@moderock ~/mozilla/dnsconfig » dig +short firefoxhello.fxosapps.org @8.8.8.8
bhourigan@moderock ~/mozilla/dnsconfig »
Flags: needinfo?(bhourigan)
|
||
Updated•9 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Flags: sec-bounty? → sec-bounty+
Resolution: --- → FIXED
|
||
Updated•6 years ago
|
Keywords: wsec-appmisconfig → wsec-takeover
|
||
Updated•8 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•