Show HN: co.vu Free Domain Name with easy dns setup and more. Invite code - hn

Bugs I've found:<p>Fix the user input for domainnames: I'm able to enter non ascii chars<p>XSS: <a href="http://www.co.vu/search?domain=&#60;marquee&#62;" rel="nofollow">http://www.co.vu/search?domain=&#60;marquee&#62;</a>; <a href="http://www.co.vu/dnssettings/createrecord?domain=%3E%3Cmarquee%3E" rel="nofollow">http://www.co.vu/dnssettings/createrecord?domain=%3E%3Cmarqu...</a><p>Full path disclosure (and maybe even SQL injections possible): <a href="http://www.co.vu/dnssettings?domain=" rel="nofollow">http://www.co.vu/dnssettings?domain=</a><p>Access other users DNS (even without login): <a href="http://www.co.vu/dnssettings/dnsrecords?domain=notmydomain" rel="nofollow">http://www.co.vu/dnssettings/dnsrecords?domain=notmydomain</a><p>OpenDir (showing server software used): <a href="http://www.co.vu/img/posterous/" rel="nofollow">http://www.co.vu/img/posterous/</a>

Learn what CSRF is. Your form for resetting passwords is trivially exploitable to change other peoples account passwords. Anyone can just create a form in a hidden iframe on their own site which auto-submits a POST to <a href="http://www.co.vu/account/account_password" rel="nofollow">http://www.co.vu/account/account_password</a> with password_new_password and password_retype_new_password params set.<p>Not only should you fix the CSRF via normal CSRF protection methods, but you should also add a second layer of protection for resetting passwords in that you require their existing password to be submitted as well.

<a href="http://www.co.vu/invite" rel="nofollow">http://www.co.vu/invite</a><p>invite code - hn<p>It is a simple app where you get a free domain like yourname.co.vu with full dns support.<p>You can very easily configure the dns settings for tumblr, posterous, blogger and much more..<p>It is not ready to launch yet need your early feedback

Looks interesting - snagged dis.co.vu, now I just need a startup for it or something.<p>Just two minor issues, though: the option to remove a domain seems to be missing, and it's not clear that the free domain limit is 2. But everything else's peachy.

This is going to be massively abused. The one good thing about making people pay for domains is that you can generally link their registration to a credit/debit card.

So, is this actually a domain name (Can I take it and switch to another registrar, as an example), or is this just a subdomain? On a related note, do I actually own the domain?<p>I don't see any TOS/AUP, so if you object to my domain, is it going to be taken away?

In the account settings, you should automatically determine the language, country and timezone. You should not even ask for gender or d-o-b as it's none of your business. Why "First Name", "Last Name" <i>and</i> "Full Name" ?

Just given this a go and I can see that the domain name is given an expiry date. How do expiries work? Is there an email that comes around in one years time to keep it open, or something similar?

Wordpress.com - the world's largest blog hoster not supported in auto option? Any idea how do i configure dns for a wordpress.com hosted site?

You should really get that site copy-edited. "Favorate" on your homepage should be "Favorite".

After registration, it displays the wrong email address in notification of checking inbox.

font looks an absolute mess on my machine: <a href="http://imgur.com/fXTur" rel="nofollow">http://imgur.com/fXTur</a><p>linux, chrome 11

www.co.vu is 'available for registration' ;-)