You may have already been announced about hacking into NIC.tm and defacement. After gmail.tm has got defaced, NIC’s response was acceptable, they fixed their vulnerabilities as fast as they could. However, it wasn’t end of story… we’ve seen several changes in server’s applications. It wasn’t only about NIC.tm, it were about all NICs installed same CMS on. We just searched “powered by ICB plc, UK.” and we realized four NICs are using this application:
www.nic.ac www.nic.tm www.nic.io www.nic.sh
Since we reported bugs on our blog, they addressed the problems (They owe us because we had a free penetrate test on their CMS) and as far as we know, the CMS is now almost safe. But, we found two considerable security issues in server side. After scanning their server, we realized the version of Apache is 1.3.33 which has some vulnerabilities. It cab be understood easily by referring to this link. so we yield following HTTP request to server:
GET / HTTP/1.1 Expect: <script>alert(11111)</script> Host: nic.tm Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0) Acunetix-Product: WVS/8.0 (Acunetix Web Vulnerability Scanner - NORMAL) Acunetix-Scanning-agreement: Third Party Scanning PROHIBITED Acunetix-User-agreement: http://www.acunetix.com/wvs/disc.htm Accept: */*
And it resulted in having XSS:
All domains are affected by this flaw. Another important issue was the Apache’s module, mod_rewrite which is vulnerable to buffer over flow (Check this out), The exploit for Linux platform is accessbile in core impact (Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild). Here the project of this CMS is almost end, be safe.