[linux-elitists] Domain name registrar for BOFHs?
Tabinda N. Khan
Mon Jun 19 08:30:44 PDT 2000
Here's a quote from a Bugtraq message on 6/16.
You can read the whole thing in the archive,
under the subject line "Proposal for
standardizing a set of security guidelines for
web applications" by Dan N. Stupid frames.
A few days ago, I found out that a
register.com ip checked out a domain name I just
setup. Since no one could known about the domain
name, and my webserver logs referers, I decided
to follow the referer since I would like to know
where on their site my new domain was linked. I
ended up finding out that this link brings me to
their webbased ISP administration software.
After doing some tests with some of my domain
names, I found out that I was able to change
anything from contact info to dns settings. I
asked a friend of mine to do the same thing with
his domains hosted by register.com, and he was
able to do the same thing. This means that
anyone, knowing how the site's url structure is
setup, can change ANY domain setting for any
domain hosted by register.com We all know how
many domains they host , and this could have
been a serious disaster. This is where the first
mistake was made. The referer should have been
rewritten by some sort of cgi proxy, or just not
Quoting Doc Searls:
> >I have had enough of Network Solutions, their candy-ass web site, and
> >their bullshit EULA. So I tried Tierranet's "Domain Discover" service,
> >since that seems to be where Rick Moen has moved linuxmafia.com, and it
> >seems pretty easy. Anyone else used a registrar other than Network
> >Solutions? Comments on Tierranet or the others?
> I like register.com <http://www.register.com>, because it tries to
> sell you these dumb but fun-to-see e-bullshit permutations of
> whatever you just checked. I wrote about it... where... lemme see...
> here::: <http://doc.weblogs.com/2000/06/01>. Scroll down to the
> "Knowledge In, Fun Out" subhead.
More information about the linux-elitists