Posted by k | Posted in Uncategorized | Posted on 02-12-2007
This is massive. I wonder why no one has ever posted this somewhere.
Most domain registrars (have yet to find one that does) will not filter what you put on your REGISTRANT CONTACT INFO and WILL allow the script tag! Just try for yourself and rebaptize yourself as :
As you know, being able to run scripts, the sky is the limit. You can be a hacker and steal document.cookie to hijack a session to get complete access to another domainer account or be a nice guy and put an entire cool game on your registrant contact info.
Keep in mind you will be injecting your own page, so you better use it to more harmless stuff like logging people’s visits.
Who is vulnerable? Many, many whois info grab pages, including Whois.net or registrar Dynadot.com.
Update: Dynadot fixed the xss, after some fuzz on some well known domainers forums. Others are still vulnerable.
Last, but not least, it’s not everyday you receive such a nice compliment from one of the top gurus ever!