########################################################## # GulfTech Security Research September, 16th 2004 ########################################################## # Vendor : RhinoSoft # URL : http://www.dns4me.com/ # Version : RhinoSoft.com DNS4Me Web Server/3.0.0.4 # Risk : Cross Site Scripting && Denial of service ########################################################## Description: DNS4Me is the dynamic DNS service that you need to start hosting your own Internet services. When you have a dynamic IP address, you need something to associate a static domain name with it to make it easier for visitors to access the services you provide. With DNS4Me, you can take control of your Web site by running your own HTTP server. Without a hosting company, you've eliminated the cost of hosting as well as a layer of contact between you and your Web site. This gives you unparalleled control overits configuration, content, and delivery. But the benefits of dynamic DNS aren't just for HTTP servers. Any service that can make use of a domain name can benefit from DNS4Me. This includes FTP servers, e-mail servers, daemons for today's popular computer games, NetMeeting. With the reliability and excellent support you've come to expect of RhinoSoft.com backing up DNS4Me, you'll get a powerful, no hassle dynamic DNS solution. The RhinoSoft DNS4ME HTTP server is prone to multiple vulnerabilities, and users are encouraged to upgrade as soon as possible. Cross Site Scripting: It is possible for an attacker to render malicious code in a victims browser by sending them a url to request a document on the server(s), which contains A malformed query string. http://127.0.0.1/?%3E%3Cscript%3Ealert('XSS')%3C/script%3E Any code in the query string will be executed and cause cross site scripting. Denial of Service: RhinoSoft.com DNS4Me Web Server is vulnerable to Denial Of Service attacks. If a malicious user sends a large amount of data to port 80, or the port that the DNS4Me Web Server is running on, it will send the CPU usage to 99% and eventually crash the affected server. Solution: The developers were contacted last month about these issues. They said they needed a month to resolve them. It has been one month so users should check their website for an update. Also, the RhinoSoft HTTP server may be included in other RhinoSoft apps as well. Not sure of this, but something for other researchers to look out for. Related Info: The original advisory can be found at the following location http://www.gulftech.org/?node=research&article_id=00049-09162004 Credits: James Bercegay of the GulfTech Security Research Team
