Does ISOCNZ's site have a gaping security hole?
Copyright © 1997 to 7am News
Following on from a story run earlier today on Aardvark, several
readers have written to point out what they see to be a huge
security hole on the ISCONZ site.
The 'Domain Name Enquiry/Change' form mentioned in this morning's story appears to openly invite hackers to submit changes to some entries in the registry.
One reader pointed out that if you enter one of the "yet to be migrated" domain names such as xtra.co.nz into both the "domain name" and "key" fields, you bypass the security and are presented with a screen which allows you to enter new details for the registry listing.
Although there is a disclaimer on the site that says the registry is not responsible for the information - should they not at least be just a little more careful about providing access to this form?
What's even more astounding is that the instructions on how to hack the site are given on the page where the key must be entered. Under the "Key" field it clearly says "For names that have not yet been migrated to the automated system, the key is just the domain name".
Patric O'Brien of the ISOCNZ registry had no comment to make when contacted this morning and Jim Higgins was "unobtainable". Although a message has been left on Higgins' voice-mail system, no response has yet been forthcoming.
Many sites have security problems from time to time, but it has to be said that ISOCNZ is the only one I've heard of which as gone so far as to include "hacker instructions" on their pages.
Back to Aardvark Daily...