[Owasp-leaders] Zone transfer
rorym at nmrconsult.net
Thu Apr 8 05:00:22 EDT 2010
On Thu, Apr 8, 2010 at 9:49 AM, OWASP Geneva Chapter
<antonio.fontes at owasp.org> wrote:
> On 8 April 2010 09:00, Erlend Oftedal <Erlend.Oftedal at bekk.no> wrote:
>> I see this message popping up from time to time on twitter, that owasp.org
>> is vulnerable to zone transfer.
>> I guess that’s something we want to fix.
>> “RT @maxisoler: +1 WTF?! RT: @Jabra: Wtf owasp.org is still vulnerable to
>> zone transfer!”
> Hi Leaders,
> The initial security requirement dictates that zone content disclosure
> should be restricted in order to reduce the risk of hidden/internal
> hosts disclosure (which we could even argue it's a "security by
> obfuscation" practice).
> Keeping it open might also mean we did our work correctly, applied
> basic risk assessment, and stick to our "openness" principle.
> (okay okay, devil's advocate now heading towards the exit door)
I'd agree in that there shouldn't be "private" information available
in public DNS as there are other ways (eg, DNS brute-force) to get
access to that kind of information.
That said, from a PR perspective, it may not look good for us to have
something present in our security posture which is generally
considered a "bad thing", so probably worth changing...
my 0.02 of local currency.
More information about the OWASP-Leaders