vulnerability-demo.benchmarkdotnet.org

Why am I seeing this page?

This page is hosted using GitHub Pages. When this website was set up it was done in a way that all the subdomains can also be hosted on GitHub Pages, and those sites could be created by anybody.

And this page you are reading was published by somebody not affiliated with this root domain name as a demonstration and recommendation that the owner should change that.

The domain owner might not have intended or expected this page to get here, and if other people do it too, there could be serious problems, so please see below on what is wrong here and how to fix it.

Why this is important

Through this vulnerability, anyone can create a website and make it look like it was coming from you. Malicious hackers can perform illegal activity via this subdomain, and make it appear as if the owner of this domain was responsible for this, or, at least tarnish the domain owner’s reputation.

Right now, somebody could publish a page on your domain name, like login. api. password-reset. and make it look just like your website. They could:

• Link to an illegal drug marketplace using your brand’s reputation
• Phishing attacks to source emails and personal information from others
• Provide false or fake information using your brand’s credibility

Most websites do not want this type of subdomain freedom, however some sites like Wikia, GitHub pages, and Blogspot use this technique to give people their own sites, however this is closely monitored for any of the activity mentioned above.

Contact information

This page is published by William Entriken / https://phor.net / entriken@phor.net along with help as noted at https://privacylog.blogspot.com/2021/04/upcoming-event-zero-day-live-2021-05-01.html

How to fix this vulnerability

You will need to login to your domain name registrar to fix this problem. GitHub Pages(https://docs.github.com/en/pages/configuring-a-custom-domain-for-your-github-pages-site/troubleshooting-custom-domains-and-github-pages#custom-domain-names-that-are-unsupported) warns that:

Warning: We strongly recommend not using wildcard DNS records, such as *.example.com. A wildcard DNS record will allow anyone to host a site at one of your subdomains.

https://docs.github.com/en/pages/configuring-a-custom-domain-for-your-github-pages-site/troubleshooting-custom-domains-and-github-pages

In all cases, you probably want to delete the wildcard record (“*”) that points to GitHub Pages urls—185.199.108.153, 185.199.109.153, 185.199.110.153, 185.199.111.153.

Then some of this advice might apply to you:

• If you don’t want any subdomains on your website, you are done.
• If you want www subdomain to work then see the GitHub Pages documentation for this.
• If you do want subdomains, create specific records for the subdomains used if using a web server like nginx or apache for proxy-passing internally.