Discourse hosted subdomain takeover possible?

Question

Discourse hosted subdomain takeover possible?

chackmate opened this issue 6 years ago · 6 comments

Is subdomains hosted at discourse is vulnerable to takeover or not?

Answer 1 · 2019-01-09T04:35:46.000Z

It doesn't appear so, I found a discourse subdomain that was serving me a 404 when visiting. Upon trying to create a demo using the subdomain that was returning a 404, I was given the following error you can see in the attached image.

Answer 2 · 2020-09-27T20:33:50.000Z

More info from 2017.

https://hackerone.com/reports/264494

Answer 3 · 2020-12-16T01:22:14.000Z

@pdelteil Following back up on this. Do we know what the site displays (search text) for when a domain is vulnerable? Seems like this is pretty old, but not seeing it anywhere.

Answer 4 · 2021-01-22T20:43:41.000Z

So yesterday I found a google acquisition who pointed to xxx.trydiscourse.com, I registered the discourse account with the trial and managed to takeover the CNAME the original one pointed to, for some weird caching issues the original domain remained at 404, but I managed to takeover the CNAME linked to it.

Answer 5 · 2021-03-10T04:10:52.000Z

I found out that
*.trydiscourse.com is vulnerable
whereas,
*.hosted-by-discourse.com is not vulnerable.

So, subdomain takeover on discourse is possible in edge cases.

Answer 6 · 2021-03-10T12:58:25.000Z

I can confirm that *.hosted-by-discourse.com is not vulnerable.
When you sign up they give you a unique CNAME and they validate that you have the correct CNAME in your DNS config.