leamas
commented
6 years ago Agreed. Short of time for now, will try to fix "later" (tm).
Thanks for reporting (all three)!
Closed crass closed 6 years ago
leamas
commented
6 years ago Agreed. Short of time for now, will try to fix "later" (tm).
Thanks for reporting (all three)!
leamas
commented
6 years ago Admittedly, I'm a bit lazy here. That said: Have you checked that it works - it didn't last time I tried IIRC.
crass
commented
6 years ago Yep, I have checked that it works. I'm using a locally modified install of 0.5.3 from Ubuntu and tested using curl. Thanks for the nice project!
leamas
commented
6 years ago Fixed in [066c9eb]. Thanks for reporting, and I would appreciate if you could test,
leamas
commented
6 years ago 0.6.1 is out with this fix, closing.
If an attacker is able to see ddupdate communications on the wire for the freedns.afraid.org service, they will be able to get a list of update urls in the clear and be able to use them to update the dyndns to whatever ip they want. This could lead to even more sensitive information being exposed if they then setup a fake service resembling yours and use that to phish for credentials. It appears that only
httpneeds to change tohttps. Then the returned update urls will also be in https, which is less of a security issue, but everything should be https anyway.https://github.com/leamas/ddupdate/blob/e8891063ae7ef109e41ac78db6880b3dd7aa1f24/plugins/freedns.py#L32