PHP :: Sec Bug #74238 :: pt2.php.net subdomain takeover

pt2.php.net subdomain takeover

Submitted:

2017-03-12 07:15 UTC

Modified:

2017-10-16 03:05 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

is4curity at gmail dot com

Assigned:

rasmus (profile)

Status:

Closed

Package:

Website problem

PHP Version:

Irrelevant

OS:

Private report:

CVE-ID:

None

View Add Comment Developer Edit

[2017-03-12 07:15 UTC] is4curity at gmail dot com

Description:
------------
hello

your subdomain pt2.php.net pointing to php.dominios.pt

https://mxtoolbox.com/SuperTool.aspx?action=cname%3apt2.php.net&run=toolpage
pt2.php.net. IN CNAME php.dominios.pt

and its expire or you can go to here

https://my.dominios.pt/orderdomain.php?action=checkAvailability&directForm=1&domains=php&tld%5b%5d=.dominios.pt

check about domain php.dominios.pt its Available

hacker can register it

the domain can claim by anyone

so u must delete cname
or register the domain again

see the photo 

https://image.ibb.co/b4oUtv/cname.png

https://image.ibb.co/n8AaYv/domain_checker.png


thanks


Expected result:
----------------
the hacker if he register the domain he will add contents he can hack the 
pt2.php.net vistor

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-03-14 11:03 UTC] krakjoe@php.net

-Assigned To: +Assigned To: rasmus

[2017-03-14 11:03 UTC] krakjoe@php.net

Rasmus would you mind having a look at this ?

Maybe re-assign to someone more appropriate.

[2017-03-14 11:22 UTC] nikic@php.net

I've explicitly disabled the mirror and mailed the maintainer.

[2017-03-14 19:00 UTC] rasmus@php.net

-Status: Assigned +Status: Closed

[2017-03-14 19:00 UTC] rasmus@php.net

I deleted the mirror. It will take a little while to propagate out.

[2017-09-18 21:38 UTC] is4curity at gmail dot com

but the cname stil same before didnot deleted yet

see this screen

https://i.imgur.com/nB660Ul.png

and the cname subdomain is avisable to register see this screen from inside easydns any one can regester it just pay the money see photo

https://i.imgur.com/K5cGhVl.png

https://i.imgur.com/DNMvAFC.png

https://i.imgur.com/JRZ79iP.png

best regards
mahmoud elmanzalawy

[2017-09-19 06:57 UTC] requinix@php.net

It still resolves for me from 8.8.8.8/4.4, however querying the php.net nameservers directly gives an empty result. Was the DNS entry not entirely removed?

[2017-09-19 11:39 UTC] Is4curity at gmail dot com

Hello 
No sir . not entirely removed
See that url explain how remove all cname records 

https://ae.godaddy.com/help/change-a-
cname-record-19237

After you remove all inform me to confirm  it fixed

[2017-09-19 11:51 UTC] is4curity at gmail dot com

-Status: Closed +Status: Assigned

[2017-09-19 11:51 UTC] is4curity at gmail dot com

Sorry this is the true url

https://ae.godaddy.com/help/change-a-cname-record-19237

[2017-09-21 10:29 UTC] is4curity at gmail dot com

Hello 
Now i confirm its fixed and the cname is removed

[2017-09-21 10:48 UTC] requinix@php.net

-Status: Assigned +Status: Closed

[2017-09-21 10:48 UTC] requinix@php.net

Yup.

[2017-09-21 20:39 UTC] is4curity at gmail dot com

-Type: Bug +Type: Security -Private report: No +Private report: Yes

[2017-09-21 20:39 UTC] is4curity at gmail dot com

thank you @requinix for quick reply

[2017-09-21 20:52 UTC] is4curity at gmail dot com

can i ask you kindly make the report is public not private

[2017-10-16 03:05 UTC] stas@php.net

-Package: Other web server +Package: Website problem

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue May 21 08:01:31 2024 UTC