

Show HN: co.vu Free Domain Name with easy dns setup and more. Invite code  - hn - arunkk
http://www.co.vu/invite

======
MeProtozoan
Bugs I've found:

Fix the user input for domainnames: I'm able to enter non ascii chars

XSS:
[http://www.co.vu/search?domain=<marquee>](http://www.co.vu/search?domain=<marquee>);
[http://www.co.vu/dnssettings/createrecord?domain=%3E%3Cmarqu...](http://www.co.vu/dnssettings/createrecord?domain=%3E%3Cmarquee%3E)

Full path disclosure (and maybe even SQL injections possible):
<http://www.co.vu/dnssettings?domain=>

Access other users DNS (even without login):
<http://www.co.vu/dnssettings/dnsrecords?domain=notmydomain>

OpenDir (showing server software used): <http://www.co.vu/img/posterous/>

~~~
arunkk
Thanks will do it

------
mike-cardwell
Learn what CSRF is. Your form for resetting passwords is trivially exploitable
to change other peoples account passwords. Anyone can just create a form in a
hidden iframe on their own site which auto-submits a POST to
<http://www.co.vu/account/account_password> with password_new_password and
password_retype_new_password params set.

Not only should you fix the CSRF via normal CSRF protection methods, but you
should also add a second layer of protection for resetting passwords in that
you require their existing password to be submitted as well.

~~~
arunkk
Thanks Will look in to it

------
arunkk
<http://www.co.vu/invite>

invite code - hn

It is a simple app where you get a free domain like yourname.co.vu with full
dns support.

You can very easily configure the dns settings for tumblr, posterous, blogger
and much more..

It is not ready to launch yet need your early feedback

------
rplacd
Looks interesting - snagged dis.co.vu, now I just need a startup for it or
something.

Just two minor issues, though: the option to remove a domain seems to be
missing, and it's not clear that the free domain limit is 2. But everything
else's peachy.

~~~
xtacy
redis.co.vu :-)

Here are other words for grabs:

    
    
        {"alcove", "alcoves", "covalent", "covalently", "covariance", \
        "covariances", "cove", "coven", "covenant", "covenanted", \
         "covenanting", "covenants", "covens", "cover", "coverage", \
         "coverages", "coverall", "coveralls", "covered", "covering", \
         "coverings", "coverlet", "coverlets", "covers", "coversheet", \
         "covert", "covertly", "covertness", "coverts", "coves", "covet", \
         "coveted", "coveting", "covetous", "covetously", "covetousness", \
         "covets", "covey", "coveys", "discover", "discoverable", \
         "discovered", "discoverer", "discoverers", "discoveries", \
         "discovering", "discovers", "discovery", "dustcover", "hardcover", \
         "hardcovers", "irrecoverable", "irrecoverably", "Muscovite", \
         "Muscovy", "nonrecoverable", "recover", "recoverable", "recovered", \
         "recoveries", "recovering", "recovers", "recovery", "rediscover", \
         "rediscovered", "rediscoveries", "rediscovering", "rediscovers", \
         "rediscovery", "slipcover", "slipcovers", "softcover", "uncover", \
         "uncovered", "uncovering", "uncovers", "undercover", "undiscovered", \
         "unrecoverable"}

------
mike-cardwell
This is going to be massively abused. The one good thing about making people
pay for domains is that you can generally link their registration to a
credit/debit card.

------
devicenull
So, is this actually a domain name (Can I take it and switch to another
registrar, as an example), or is this just a subdomain? On a related note, do
I actually own the domain?

I don't see any TOS/AUP, so if you object to my domain, is it going to be
taken away?

------
mike-cardwell
In the account settings, you should automatically determine the language,
country and timezone. You should not even ask for gender or d-o-b as it's none
of your business. Why "First Name", "Last Name" _and_ "Full Name" ?

~~~
arunkk
I just added as most of the registers ask these details. Will in to this look
in to this based an all your feedback

------
DizzyDoo
Just given this a go and I can see that the domain name is given an expiry
date. How do expiries work? Is there an email that comes around in one years
time to keep it open, or something similar?

~~~
arunkk
Currently it is one year. Based on how active you are your account will be
automatically renewed. If you just register it for parked domain or just you
are blocking it you need to pay.

------
blntechie
Wordpress.com - the world's largest blog hoster not supported in auto option?
Any idea how do i configure dns for a wordpress.com hosted site?

~~~
arunkk
I am about to integrate the wordpress soon.. For now you can edit the dns
record to configure to wordpress

------
joshzayin
You should really get that site copy-edited. "Favorate" on your homepage
should be "Favorite".

~~~
arunkk
Thanks. Have fixed it. Will do a spell check site wide

------
wsxiaoys
After registration, it displays the wrong email address in notification of
checking inbox.

~~~
arunkk
I guess it is a bug we did a prototype. I things it is not removed. I will
check it an fix it soon. Thanks for reporting it

------
leif
font looks an absolute mess on my machine: <http://imgur.com/fXTur>

linux, chrome 11

~~~
arunkk
Used cufon font for rendering. I checked in most of the browsers. Will check
it

------
MeProtozoan
www.co.vu is 'available for registration' ;-)

~~~
arunkk
I am working on the restricted list of domains. Just wanted to validate the
app. Before fixing few things

~~~
0xdeadc0de
Any rough date on when it's gonna get Nameserver support?

~~~
arunkk
Very Soon. First will fix most of the security issues and roll out the new
features. Will notify you.

Thanks

