can-i-take-over-xyz icon indicating copy to clipboard operation
can-i-take-over-xyz copied to clipboard

Published 20 hours ago verified publisher icon EdOverflow

Discourse hosted subdomain takeover possible?

Open chackmate opened this issue 5 years ago • 6 comments

Is subdomains hosted at discourse is vulnerable to takeover or not?

chackmate avatar Oct 06 '18 21:10 chackmate

It doesn't appear so, I found a discourse subdomain that was serving me a 404 when visiting. Upon trying to create a demo using the subdomain that was returning a 404, I was given the following error you can see in the attached image. screen shot 2019-01-08 at 10 35 02 pm

mardinyadegar avatar Jan 09 '19 04:01 mardinyadegar

More info from 2017.

https://hackerone.com/reports/264494

pdelteil avatar Sep 27 '20 20:09 pdelteil

@pdelteil Following back up on this. Do we know what the site displays (search text) for when a domain is vulnerable? Seems like this is pretty old, but not seeing it anywhere.

jbreed avatar Dec 16 '20 01:12 jbreed

So yesterday I found a google acquisition who pointed to xxx.trydiscourse.com, I registered the discourse account with the trial and managed to takeover the CNAME the original one pointed to, for some weird caching issues the original domain remained at 404, but I managed to takeover the CNAME linked to it.

NagliNagli avatar Jan 22 '21 20:01 NagliNagli

I found out that *.trydiscourse.com is vulnerable whereas, *.hosted-by-discourse.com is not vulnerable.

So, subdomain takeover on discourse is possible in edge cases.

h3cksamrat avatar Mar 10 '21 04:03 h3cksamrat

I can confirm that *.hosted-by-discourse.com is not vulnerable.
When you sign up they give you a unique CNAME and they validate that you have the correct CNAME in your DNS config.

image

ghost avatar Mar 10 '21 12:03 ghost