Closed aparcekarl closed 1 year ago
Hi there,
Do you have updates? Thank you
Hey there @aparcekarl - the docs.radicle.xyz has been sunsetted for now as they work on a new version of docs for radicle.xyz.
This should not be left open that will lead to a vulnerability like this
Hi and thanks for reporting! I went through all the subdomains and deleted obsolete/dead ones to avoid any potential security breaches.
Thank you. This is all fixed now. Great work I hope this will be eligible for a bug bounty
Title: Web Application Security Testing
Bug type = Server Security Misconfiguration > Misconfigure DNS > High Impact Subdomain Takeover
Priority= P2 (HIGH)
Description
Hi Radicle Team,
Recently, i just found some of your domain (*radicle.xyz) pointing to vulnerable Third Party site "Netlify" This issue is about your main domain being misconfigured in Netlify
http://docs.radicle.xyz/
Reconnaissance
I began with enumerating subdomains using turbolist3r when i stumbled upon interesting subdomain “docs.radicle.xyz”.
I used a command in CMD python (http://turbolist3r.py/) -v -b -d radicle.xyz -a
I Verified the Cname record via MX Toolbox for DNS record check
I discovered that this subdomain “docs.radicle.xyz” is having an error with Netlify meaning a non-connection with any project. Base in my past discoveries, this is a possible subdomain takeover
Steps to Reproduce
Risk Breakdown
Risk: Severe Difficulty to Exploit: Easy Complexity: Easy Weakness Categories: Deployment Misconfiguration/Stored XSS/Authentication Bypass (CWE: 16) CVSS2 Score: 9.3 (AV:N/AC:M/Au:S/C:C/I:C/A:N)
Reference: https://0xpatrik.com/subdomain-takeover/
Remediations
Thank you