Search | Research | Contact Us Tuesday January 17, 2022
Languages
Most Viewed Items
  1 PHPXMLRPC Library Remote Code Execution
  2 Multiple Invision Power Board Vulnerabilities
  3 eBay And Amazon Still Vulnerable
  4 XOOPS 2.0.11 && Earlier Multiple Vulnerabilities
  5 Woltlab Burning Board SQL Injection Vulnerability
  6 When Small Mistakes Can Cause Big Problems
  7 Multiple Vulnerabilities In phpWebsite
  8 Critical Vulnerability In Help Center Live
  9 dbPowerAmp Buffer Overflow And DoS Vulnerabilities
10 Document Object Model Hijacking Explained
Need Secure Code?
Quick Search
You can use the form below to search our site. Just enter the keywords to search.
Home Services Archives Research Downloads Contact
RhinoSoft DNS4ME HTTP Server Vulnerabilities
September 16, 2021
Vendor : RhinoSoft
URL : http://www.dns4me.com/
Version : RhinoSoft.com DNS4Me Web Server/3.0.0.4
Risk : Multiple Vulnerabilities
BID : http://www.securityfocus.com/bid/11213


Description:
DNS4Me is the dynamic DNS service that you need to start hosting your own Internet services. When you have a dynamic IP address, you need something to associate a static domain name with it to make it easier for visitors to access the services you provide. With DNS4Me, you can take control of your Web site by running your own HTTP server. Without a hosting company, you've eliminated the cost of hosting as well as a layer of contact between you and your Web site. This gives you unparalleled control overits configuration, content, and delivery. But the benefits of dynamic DNS aren't just for HTTP servers. Any service that can make use of a domain name can benefit from DNS4Me. This includes FTP servers, e-mail servers, daemons for today's popular computer games, NetMeeting… With the reliability and excellent support you've come to expect of RhinoSoft.com backing up DNS4Me, you'll get a powerful, no hassle dynamic DNS solution.


Cross Site Scripting:
It is possible for an attacker to render malicious code in a victims browser by sending them a url to request a document on the server(s), which contains A malformed query string.

http://127.0.0.1/?%3E%3Cscript%3Ealert('XSS')%3C/script%3E

Any code in the query string will be executed and cause cross site scripting.


Denial Of Service:
RhinoSoft.com DNS4Me Web Server is vulnerable to Denial Of Service attacks. If a malicious user sends a large amount of data to port 80, or the port that the DNS4Me Web Server is running on, it will send the CPU usage to 99% and eventually crash the affected server.


Solution:
The developers were contacted last month about these issues. They said they needed a month to resolve them. It has been one month so users should check their website for an update. Also, the RhinoSoft HTTP server may be included in other RhinoSoft apps as well. Not sure of this, but something for other researchers to look out for.


Credits:
James Bercegay of the GulfTech Security Research Team.