39 - پیام , 342 - نظر

Security issue on installing your own Tucows/OpenSRS Reseller Client Library

There is a security issue when you are install your RCL to manage your own domain registered with Tucows/OpenSRS.

/cgi-bin/manage.cgi has the feature like "Forgot Password?" which will send the password to the owner or admin of the domain name.

The following flags in OpenSRS.conf mange this feature:

           # setting this will allow your customers to request their username /
           # password be sent to them through main manage.cgi screen.  The
           # password that is sent can be either that for the main user or the
           # subuser of the domain, and it can be sent to either the admin
           # contact, or the owner (registrant) of the domain.  Note that if
           # set to sub-user, and sub-user doesn't exist, an error will be
           # returned.
           allow_password_requests => 0,
           password_send_to_admin =>  0,
           password_send_to_owner => 0,
           password_send_subuser => 0,      # 1 to send sub-user password
           enable_cira_email_pwd => 0,
           );

Suppose you have a single account profile in OpenSRS and you register all your domains in this profile and also suppose the send password flags are turned ON( setting to 1).

One day one of your customer ask you to enable him to manage his domain by himself so you create a SUBUSER account in his domain name with the ability to change the ADMIN or OWNER data and sent it to him.

This customer will go to your /cgi-bin/manage.cgi and change the ADMIN email and then logout and reenter to the /cgi-bin/manage.cgi and enter his password incorrectly, the system will offer you to send his password back to Admin email of the domain and he only tell OK.
Unfortunately the OpenSRS will send the account profile password to the SUBUSER, he can then login to the your profile and God knows what will going on then.

So turning off this flags are strongly recommended.

ارسال شده در تاریخ ۲۵ آبان ۱۳۸۴ - 7:30 عصر

نظرات

هنوز هیچ نظری ارسال نشده است

ارسال نظرات

عنوان:  
نام:  
آدرس الکترونیکی:
زبان:
توضیح:  
لطفا متن مقابل را در زیر وارد کنید
(کوچک یا بزرگ بودن حروف مهم نیست)