Hall of fame

We would like to thank the following security researchers:

(2024-03-26)
Shaikh Huzaifa dicovered that debug.log was available on the d9ping.nl webblog because of a not prevented WP_DEBUG constant left enabled. This debug.log file exposed unwanted information discolsure about software version used and website configuration.

(2024-01-25)
Someone discovered that autoconfig subdomain were still having a dns record without having a proper certificate.
These dns records should have been removed so only the main domain for well-known uri for email autoconfiguration for  new email clients is always executed over https.

(2023-11-14)
Himanshu Sondhi discovered that not all files from the wordpress installlation in the wp-include folder were update causing it to be vulnerable to be unpatched security issues.

(2023-10-23)
Shaikh Huzaifa discover that the webserver could become unavailable easily by doing a DoS attack to the Wordpress wp-cron.php script.
Paranoid Secure Hosting has resolved the issue by restricting access to the wp-cron.php script.

(2021-12-20)
Someone discovered that a page of postma.xyz was still using script-src 'unsafe-inline' directive in the content security policy that was not needed anymore as the script it was used for was long gone. The use of script-src 'unsafe-inline' could allow inline scripts to be used on the page. This could allow cross site scripting to be executed if escaping is not done properly.

(2021-11-27)
Paranoid Secure Hosting has been informed by someone of the use old vulnerable jquery 2 & 1 and old vulnerable jquery-ui aswell.
The old vulnerable jquery scripts were in used in the (latest) rainloop webmail client and on the CalDAVZip online calendar.
These old jquery script could be abused for cross site script.
Paranoid Secure Hosting has decided to remove the PostmaXYZ CalDAVZip online calandar viewer at all because it wasn't been used anymore.
Also the vulnerable rainloop webmail client has been replaced with a not vulnerable fork named snappymail of the webmail client that does not use jquery.

(2023-11-23)
Shaikh Huzaifa discovered that our wordpress cron job can poss a denial of service attack risk causing the webserver to become unresponsive due to too high processor load.
Paranoid Secure Hosting resolve it by limiting access to wp-cron.php.

(2021-09-27)
Someone discovered that the calendar was vurnable to bruteforce password guessing.
Paranoid Secure Hosting did not enforced our password policy for old accounts 
 were already in used. These accounts could possible have had a weak password
 that were bruteforcable within an unwanted short timeframe.
The caldav and carddav pages were also missing the x-frame-options and content security policy http headers
to limit cross origin attacks, or click jacking attacks with (i)frames.
Paranoid Secure Hosting also implemented a bruteforce detection to refuse new requests from
 bruteforce attacker within a short time frame on the caldav and carddav services.

(2021-08-24)
Someone discovered that one host had server headers exposed giving banner information about this host.

(2021-06-18)

Someone discovered that the notefly.org Mantis bugtracker was not using the important cookie flags for security.
The secure, httpOnly and samesite cookie flags for session cookies were missing on the Mantis bugtracker.

(2021-06-05)
Someone discovered that notefly.org and postma.xyz was using a vulnerable deprecated jquery version (1 & 2) that could possible be abused to execute cross site scripting.
The online calender on caldav.postma.xyz/online was vulnerable to click-jacking because of the missing x-frame-options: deny http header.

(2020-11-19) Himanshu Sondhi -
Discovered that some login url's are missing request rate limiting.
Found that postma.xyz was missing a CAA DNS record and support by the dns provider had been added since this year.

(2020-11-18) Himanshu Sondhi -
Suggested that user should be logged out on password reset if the user where the password reset was performed on had another loggedin session.

(2020-11-04) Virendra Tiwari -
Discovered an issue that still needs to be addressed by our upstream provider.

(2020-08-23) Gaurav Ghule -
Discovered that it was possible to misused the reset password function to create an Denial of Service attack against the email server.

(2020-07-03) Yassine Nafiai -
It was easy to bruteforce the two factor authentication setup page to disable the two factor authentication for a loggedin user.
The reset password token did not immediately expire after succesfull login.

(2020-06-26) Yassine Nafiai -
Totp and htop two factor authentication can be to quickly bypassed with a number bruteforce.
Password reset link leak to third party website(cdn) lead can lead to account takeover.

(2020-06-22) Gamer7112 - hackone profile -
Discovered an javascript sanitize function on snippets.d9ping.nl was vulnerable to cross site scripting with internet explorer 11 and lower.

(2019-11-08) Yassine Nafiai -
Found a misconfiguration of the notefly.org Mantis bugtracker that would allow html injection.

(2019-03-15) Shahrukh Iqbal Mirza of Apprise Security -
Found that is possible to use wordpress load-scripts.php to do a Denial of Service.