search

EdOverflow / can-i-take-over-xyz

"Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.
Creative Commons Attribution 4.0 International
4.59k stars 690 forks source link

FreshDesk is still vulnerable #71

Open m7mdharoun opened 5 years ago

m7mdharoun commented 5 years ago

Service name

FreshDesk

Proof

if the subdomain have an fingerprint and the cname is the same fingerprint Yes the subdomain can be takeover !

FingerPrint We couldn't find support.example.com May be this is still fresh!

You can claim it now at http://www.freshdesk.com/signup ``

Documentation

HarryMag could takeover a Subdomain http://support.hvst.com/support/login freshdisk

EdOverflow commented 5 years ago

Thank you for raising this issue, @m7mdharoun. @codingo, we really need to look into FreshDesk at some point.

m7mdharoun commented 5 years ago

@EdOverflow @codingo I want to add : when you sign up at freshdesk you will get any subdomain ex : mysubdomain.freshdesk.com you can request to change your subdomain to any avialable subdomain by only Freshdesk support. ( freshdesk allow this )

Walidhossain010 commented 4 years ago

is this still vulnerable @m7mdharoun @EdOverflow

Walidhossain010 commented 4 years ago

freshdesk is not vulnerable @EdOverflow

https://support.freshdesk.com/support/solutions/articles/37590-using-a-vanity-support-url-and-pointing-the-cname

justforhack commented 4 years ago

No one thinks about close this "2-years club" issue

agrawalsmart7 commented 3 years ago

I think I was able to takeover. So its still vulnerable

EdOverflow commented 3 years ago

@justforhack, the way the project works is that "Issues" are not in fact used for their intended purpose. This has turned more into a forum of sorts for people to discuss specific services within issue tickets. Closing issue tickets makes them slightly less discoverable which is undesirable. In other words, there is no "fix" for these issues as you might typically see on GitHub—these are merely posts and discussions.

shelld3v commented 3 years ago

Okay man!!

(I thought my comment was disappeared from this world, a long time ago...)

ibk96 commented 3 years ago

https://www.youtube.com/watch?v=eph0PaccRP0

sekharlee commented 3 years ago

Hello Guys, Is there still freshdesk cname is vulnerable to subdomain takeover.

lappsec commented 2 years ago

They now seem to require validation through adding a DNS record. I don't think takeover is still possible. If there's some way around the verification, I'm all ears.

varmakollu commented 1 year ago

FreshDesk Subdomain Takeover is Vulnerable or not any verification is required

Renganathanofficial commented 1 week ago

can confirm, it's not vulnerable image