[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] NO-IP service Flaw

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] NO-IP service Flaw
From: Tribal MP <tribalmp@xxxxxxxxx>
Date: Mon, 26 Jan 2009 15:47:06 +0000

A flaw exists in NO-IP service while updating the status. The problem
reside in the URL and corresponding variables because they are send in
plain text.

By monitoring HTTP traffic in a machine using NO-IP DUC it's possible
to intercept the username, password and subdomain for the account.

Example:
http://dynupdate.no-ip.com/ducupdate.php?username=email@xxxxxxxxx&pass=123456789&h[]=subdomain.no-ip.biz


Fabio Pinheiro
http://dicas3000.blogspot.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] NO-IP service Flaw
  - From: ghost

Prev by Date: [Full-disclosure] Solaris Devs Are Smoking Pot
Next by Date: [Full-disclosure] [SECURITY] [DSA 1711-1] New TYPO3 packages fix remote code execution
Previous by thread: Re: [Full-disclosure] Solaris Devs Are Smoking Pot
Next by thread: Re: [Full-disclosure] NO-IP service Flaw
Index(es):
- Date
- Thread