โš ๏ธ high ๐ŸŒ€ Pure Chaos

cdhome.co.uk

ACME client configuration leaked into public DNS

$ dig TXT cdhome.co.uk

;; QUESTION SECTION:

;cdhome.co.uk. IN TXT


;; ANSWER SECTION:

cdhome.co.uk. 3600 IN TXT "dns_acmedns_api_url = http://acmedns-server/ dns_acmedns_registration_file = /data/acme-registration.json"

What Happened

An administrator appears to have accidentally copied their internal ACME client environment variables or configuration file and pasted it into the public DNS zone file while trying to set up an SSL certificate. `dns_acmedns_api_url = http://acmedns-server/` and `dns_acmedns_registration_file = /data/acme-registration.json` expose internal infrastructure hostnames and file paths to the public internet.

Full TXT Record Value
dns_acmedns_api_url = http://acmedns-server/ dns_acmedns_registration_file = /data/acme-registration.json