Menu
▾
▴
#40 Security vulnerability in recordwrite.php
While recordwrite.php does verify that the logged in user does own the domain passed through as $_GET[i] via the form action parameter, it doesn't verify that the hidden $_POST['zoneid'] variable is owned by the. By manipulating a POST statement (or saved .html file since there are no referrer checks, which can still be bogus), a malicious user can insert or edit hosts in other zone files. I added a simple check to make sure that both of those variables match ($_GET['i'] == $_POST['zoneid'])