Tuesday February 9, 2010
Languages
Most Viewed Items
  1 PHPXMLRPC Library Remote Code Execution
  2 XMB Forums Multiple Vulnerabilities
  3 Mambo Multiple Vulnerabilities
  4 Multiple Invision Power Board Vulnerabilities
  5 MySQL Eventum Multiple Vulnerabilities
  6 Gallery 2 Multiple Vulnerabilities
  7 Geeklog Remote Code Execution
  8 RunCMS Multiple Vulnerabilities
  9 Kayako LiveResponse Multiple Vulnerabilities
10 phpRPC Library Remote Code Execution
Need Secure Web Apps?
Quick Search
You can use the form below to search our site. Just enter the keywords to search.
Home Research Services About Contact
RhinoSoft DNS4ME HTTP Server Vulnerabilities
September 16, 2004
Vendor : RhinoSoft
URL : http://www.dns4me.com/
Version : RhinoSoft.com DNS4Me Web Server/3.0.0.4
Risk : Multiple Vulnerabilities
BID : http://www.securityfocus.com/bid/11213


Description:
DNS4Me is the dynamic DNS service that you need to start hosting your own Internet services. When you have a dynamic IP address, you need something to associate a static domain name with it to make it easier for visitors to access the services you provide. With DNS4Me, you can take control of your Web site by running your own HTTP server. Without a hosting company, you've eliminated the cost of hosting as well as a layer of contact between you and your Web site. This gives you unparalleled control overits configuration, content, and delivery. But the benefits of dynamic DNS aren't just for HTTP servers. Any service that can make use of a domain name can benefit from DNS4Me. This includes FTP servers, e-mail servers, daemons for today's popular computer games, NetMeeting… With the reliability and excellent support you've come to expect of RhinoSoft.com backing up DNS4Me, you'll get a powerful, no hassle dynamic DNS solution.


Cross Site Scripting:
It is possible for an attacker to render malicious code in a victims browser by sending them a url to request a document on the server(s), which contains A malformed query string.

http://127.0.0.1/?%3E%3Cscript%3Ealert('XSS')%3C/script%3E

Any code in the query string will be executed and cause cross site scripting.


Denial Of Service:
RhinoSoft.com DNS4Me Web Server is vulnerable to Denial Of Service attacks. If a malicious user sends a large amount of data to port 80, or the port that the DNS4Me Web Server is running on, it will send the CPU usage to 99% and eventually crash the affected server.


Solution:
The developers were contacted last month about these issues. They said they needed a month to resolve them. It has been one month so users should check their website for an update. Also, the RhinoSoft HTTP server may be included in other RhinoSoft apps as well. Not sure of this, but something for other researchers to look out for.


Credits:
James Bercegay of the GulfTech Security Research Team.

Terms of Use | Disclaimer
Copyright 2010 GulfTech Research And Development, LLC. All Rights Reserved