Type: Input Validation Failure
Product: Admin-Ahead Bulk DNS TTL Changer
Vulnerable Version: 1.0.0
Fixed Version: 1.0.1
Here we introduce the A-AST Bulk DNS TTL changer v1.0 for cPanel/WHM. With this interface, you get to lower TTL values for multiple domains all at once, and make sure that the DNS information that you change will take effect in a shorter interval of time. What’s more? Once your migration is complete, you can use this same tool to raise the DNS TTL values of multiple domains and thus make life a little easier on name servers.
There is an input validation failure vulnerability that would allow an attacker to modify the TTL to any domain on the server.
We have deemed this vulnerability to be rated as MEDIUM due to the fact that any domain’s TTL can be modified.
This vulnerability was tested against Admin-Ahead Bulk DNS TTL Changer v1.0.0 and is believed to exist in all prior versions.
This vulnerability was patched in Admin-Ahead Bulk DNS TTL Changer v1.0.1.
Vendor Contact Timeline:
2013-11-17: Vendor contacted via email.
2013-11-17: Vendor confirms vulnerability.
2013-11-18: Vendor issues 1.0.1 update.
2013-11-18: Rack911 issues security advisory.