search

PolymathNetwork / polymath-core

Core Ethereum Smart Contracts for Polymath - The Securities Token Platform
http://polymath.network
Apache License 2.0
330 stars 160 forks source link

Security Report: Subdomain Takeover of https://go.polymath.network Pointing to unbounce #884

Open aparcekarl opened 4 years ago

aparcekarl commented 4 years ago

Hi Polymath Security Team,

I found that your website is suffering from subdomain takeover pointing to Unbounce pages but no such page is connected to the external server which is very dangerous.

https://go.polymath.network/

Steps to Takeover:

  1. Log in to Unbounce.
  2. Select the sub-account where you want to add your custom domain.
  3. Open the Domains tab from the side navigation bar.
  4. Click Add a Domain.
  5. Select the type of custom domain, either a root domain or a sub-domain.
  6. Enter your domain name.
  7. Add Domain to confirm.

This unused subdomain can claim by anyone and fully take over it.

And attacker can fully takeover this subdomain and do whatever he wants. this can cause huge damage to the website's main domain as well as to the company. Impact This vulnerability is rated as severe due to the increased impact that can be escalated

I can escalate this issue to a more severe vulnerability where I can create an email address that act as admin or support team for example:

admin@go.polymath.network support@go.polymath.network

I Recommend to remove the Cname and Dns connecting to it. You can read about this sort of attacks here : http://labs.detectify.com/post/109964122636/hostile-subdomain-takeover-using

Please Consider my report to Support my study

Thank you,

Karl

maxsam4 commented 4 years ago

Hey @aparcekarl , thanks for the report. I agree that there shouldn't be any dangling DNS records. I'll talk to the team to check if we are actively using Unbounce. If we are, then, it's not possible to claim the domain in some other account.

Looking a bit more into how Unbounce works, it seems like they require a unique id in the CNAME record to claim a domain. Assuming that we do not have an active Unbounce account anymore, wouldn't the lack of the unique code in the CNAME record still prevent hostile takeovers?

Thank you once again for reporting the issue to us.

aparcekarl commented 4 years ago

Thanks for the great repsonse, In my past experience with this particular takeover, It works when the account using the subdomain has been deleted. In the mean time, takeover is highly possible since no more contents are hosted in the vulnerable subdomain