full-disclosure-uk January 2009 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] NO-IP service Flaw

Re: [Full-disclosure] NO-IP service Flaw

From: <infolookup_at_nospam>
Date: Tue Jan 27 2009 - 00:41:59 GMT
To: "ghost" <ghosts@gmail.com>, full-disclosure-bounces@lists.grok.org.uk, "Tribal MP" <tribalmp@gmail.com>


Fabio,

What if you are sniffing the traffic for any http session the information is submitted in clear text. The only way this is a real problem is if someone does a mitm attack so for now that's not really a disclosure but a function of the protocol. Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: ghost <ghosts@gmail.com>

Date: Mon, 26 Jan 2009 19:12:33
To: Tribal MP<tribalmp@gmail.com>
Cc: <full-disclosure@lists.grok.org.uk>
Subject: Re: [Full-disclosure] NO-IP service Flaw

Posts like these are just as bad as n3td3v posts. Here's an idea, learn security, then come back with something interesting.

kthnx

On Mon, Jan 26, 2009 at 10:47 AM, Tribal MP <tribalmp@gmail.com> wrote:
> A flaw exists in NO-IP service while updating the status. The problem
> reside in the URL and corresponding variables because they are send in
> plain text.
>
> By monitoring HTTP traffic in a machine using NO-IP DUC it's possible
> to intercept the username, password and subdomain for the account.
>
> Example:
> http://dynupdate.no-ip.com/ducupdate.php?username=email@email.com&pass=123456789&h[]=subdomain.no-ip.biz
>
>
> Fabio Pinheiro
> http://dicas3000.blogspot.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/