SQL Injection occurs when data input for example by a user is interpreted as a SQL command rather than normal data by the backend database. This is an extremely common vulnerability and its successful exploitation can have critical implications. Netsparker confirmed the vulnerability by executing a test SQL Query on the back-end database. In these tests, SQL Injection was not obvious but the different responses from the page based on the injection test allowed us to identify and confirm the SQL Injection.
Impact
Depending on the backend database, the database connection settings and the operating system, an attacker can mount one or more of the following type of attacks successfully:
Reading, Updating and Deleting arbitrary data from the database
Executing commands on the underlying operating system
Reading, Updating and Deleting arbitrary tables from the database
Actions to Take
See the remedy for solution.
If you are not using a database access layer (DAL), consider using one. This will help you to centralise the issue. You can also use an ORM (object relational mapping). Most of the ORM systems use only parameterised queries and this can solve the whole SQL Injection problem.
Locate the all dynamically generated SQL queries and convert them to parameterised queries. (If you decide to use a DAL/ORM change all legacy code to use these new libraries)
Use your weblogs and application logs to see if there was any previous but undetected attack to this resource.
Remedy
A robust method for mitigating the threat of SQL Injection based vulnerabilities is to use parameterized queries (prepared statements). Almost all modern languages provide built in libraries for this. Wherever possible do not create dynamic SQL queries or SQL queries with string concatenation.
Required Skills for Successful Exploitation
There are numerous freely available tools to exploit SQL Injection vulnerabilities. This is a complex area with many dependencies, however it should be noted that the numerous resources available in this area have raised both attacker awareness of the issues and their ability to discover and leverage them. SQL Injection is one of the most common web application vulnerabilities.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>DarkBlue Affiliate Network</title> <meta name="keywords" content="Affiliate network, affiliate program, dark blue, affiliate software, merchants and advertisers, affiliates, internet advertising, commissions, webmaster" /> <meta name="description" content="Darkblue.com the number one affiliate program and advertiser campaign network." /> <link rel="stylesheet" type="text/css" href="skins/lander/reset.css" /> <link rel="stylesheet" type="text/css" href="skins/lander/style.css" /> <link rel="shortcut icon" type="image/x-icon" href="skins/lander/images/darkblue.ico"></head><body><div id="password-retrieval"><h2>Password Retrieval</h2><br /> <p>Your password has been sent to -111' OR SLEEP(25)=0 LIMIT 1-- <br></p> <br /> <p>You may now close this window.</p></div></body></html>
SQL Injection occurs when data input for example by a user is interpreted as a SQL command rather than normal data by the backend database. This is an extremely common vulnerability and its successful exploitation can have critical implications. Netsparker confirmed the vulnerability by executing a test SQL Query on the back-end database. In these tests, SQL Injection was not obvious but the different responses from the page based on the injection test allowed Netsparker to identify and confirm the SQL Injection.
Impact
Depending on the backend database, the database connection settings and the operating system, an attacker can mount one or more of the following type of attacks successfully:
Reading, Updating and Deleting arbitrary data from the database
Executing commands on the underlying operating system
Reading, Updating and Deleting arbitrary tables from the database
Actions to Take
See the remedy for solution.
If you are not using a database access layer (DAL), consider using one. This will help you to centralise the issue. You can also use an ORM (object relational mapping). Most of the ORM systems use only parameterised queries and this can solve the whole SQL Injection problem.
Locate all of the dynamically generated SQL queries and convert them to parameterised queries. (If you decide to use a DAL/ORM change all legacy code to use these new libraries)
Use your weblogs and application logs to see if there was any previous but undetected attack to this resource.
Remedy
The best way to protect your code against SQL Injections is using parameterised queries (prepared statements). Almost all modern languages provide built in libraries for this. Wherever possible do not create dynamic SQL queries or SQL queries with string concatenation.
Required Skills for Successful Exploitation
There are numerous freely available tools to exploit SQL Injection vulnerabilities. This is a complex area with many dependencies, however it should be noted that the numerous resources available in this area have raised both attacker awareness of the issues and their ability to discover and leverage them.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>DarkBlue Affiliate Network</title> <meta name="keywords" content="Affiliate network, affiliate program, dark blue, affiliate software, merchants and advertisers, affiliates, internet advertising, commissions, webmaster" /> <meta name="description" content="Darkblue.com the number one affiliate program and advertiser campaign network." /> <link rel="stylesheet" type="text/css" href="skins/lander/reset.css" /> <link rel="stylesheet" type="text/css" href="skins/lander/style.css" /> <link rel="shortcut icon" type="image/x-icon" href="skins/lander/images/darkblue.ico"></head><body><div id="password-retrieval"><h2>Password Retrieval</h2><br /> <p>Your password has been sent to ' OR 'ns'='ns<br></p> <br /> <p>You may now close this window.</p></div></body></html>
XSS (Cross-site Scripting) allows an attacker to execute a dynamic script (Javascript, VbScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/Javascript/VbScript by the browser.
XSS targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' session, an attacker might attack an administrator to gain full control over the application.
Impact
There are many different attacks that can be leveraged through the use of XSS, including:
Hi-jacking users' active session
Changing the look of the page within the victims browser.
Mounting a successful phishing attack.
Intercept data and perform man-in-the-middle attacks.
Remedy
The issue occurs because the browser interprets the input as active HTML, Javascript or VbScript. To avoid this, all input and output from the application should be filtered. Output should be filtered according to the output format and location. Typically the output location is HTML. Where the output is HTML ensure that all active content is removed prior to its presentation to the server.
Prior to sanitizing user input, ensure you have a pre-defined list of both expected and acceptable characters with which you populate a white-list. This list needs only be defined once and should be used to sanitize and validate all subsequent input.
There are a number of pre-defined, well structured white-list libraries available for many different environments, good examples of these include, OWASP Reform and Microsoft Anti Cross-site Scripting libraries are good examples.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>DarkBlue Affiliate Network</title> <meta name="keywords" content="Affiliate network, affiliate program, dark blue, affiliate software, merchants and advertisers, affiliates, internet advertising, commissions, webmaster" /> <meta name="description" content="Darkblue.com the number one affiliate program and advertiser campaign network." /> <link rel="stylesheet" type="text/css" href="skins/lander/reset.css" /> <link rel="stylesheet" type="text/css" href="skins/lander/style.css" /> <link rel="shortcut icon" type="image/x-icon" href="skins/lander/images/darkblue.ico"></head><body><div id="password-retrieval"><h2>Password Retrieval</h2><br /> <p>Could not find account with email as '"--></style></script><script>netsparker(0x000158)</script><p><a href="#" onClick="history.go(-1)">Try Again?</a><br></p> <br /> <p>You may now close this window.</p></div></body></html>
A Cookie was not marked as secure and transmitted over HTTPS. This means the cookie could potentially be stolen by an attacker who can successfully intercept and decrypt the traffic or following a successful MITM (Man in the middle) attack.
Impact
This cookie will be transmitted over a HTTP connection, therefore if this cookie is important (such as a session cookie) an attacker might intercept it and hijack a victim's session. If the attacker can carry out a MITM attack, he/she can force victim to make a HTTP request to steal the cookie.
Actions to Take
See the remedy for solution.
Mark all cookies used within the application as secure. (If the cookie is not related to authentication or does not carry any personal information you do not have to mark it as secure.))
Remedy
Mark all cookies used within the application as secure.
Required Skills for Successful Exploitation
To exploit this issue, the attacker needs to be able to intercept traffic. This generally requires local access to the web server or victim's network. Attackers need to be understand layer 2, have physical access to systems either as way points for the traffic, or locally (have gained access to) to a system between the victim and the web server.
A Local File Inclusion (LFI) vulnerability occurs when a file from the target system is injected into the attacked server page. Netsparker confirmed this issue by reading some files from the target web server.
Impact
Impact can differ based on the exploitation and the read permission of the web server user. Depending on these factors an attacker might carry out one or more of the following attacks:
Gather usernames via /etc/password file
Harvest useful information from the log files such as "/apache/logs/error.log" or "/apache/logs/access.log"
Remotely execute commands via combining this vulnerability with some of other attack vectors such as file upload vulnerability or log injection.
Remedy
If possible, do not accept appending file paths directly. Make it hard-coded or selectable from a limited hard-coded path list via an index variable
If you definitely need dynamic path concatenation, ensure that you only accept required characters such as "a-Z0-9" and do not allow "..", "/", "%00" (null byte) or any other similar unexpected characters.
Finally it is important to limit the API to allow inclusion only from a directory and directories below it. This way you can ensure that any potential attack can not perform a directory traversal attack.
Cookie was not marked as HTTPOnly. HTTPOnly cookies can not be read by client-side scripts therefore marking a cookie as HTTPOnly can provide an additional layer of protection against Cross-site Scripting attacks..
Impact
During a Cross-site Scripting attack an attacker might easily access cookies and hijack the victim's session.
Actions to Take
See the remedy for solution
Consider marking all of the cookies used by the application as HTTPOnly (After these changes javascript code will not able to read cookies.
Remedy
Mark the cookie as HTTPOnly. This will be an extra layer of defence against XSS. However this is not a silver bullet and will not protect the system against Cross-site Scripting attacks. An attacker can use a tool such as XSS Tunnel to bypass HTTPOnly protection.
Netsparker identified that the target web server is an Apache server. This was disclosed through the HTTP response. This information can help an attacker to gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of Apache.
Impact
An attacker can search for specific security vulnerabilities for the version of Apache identified within the SERVER header.
Remedy
Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
Netsparker identified that the target web server is disclosing the PHP version in use through the HTTP response. This information can help an attacker to gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of PHP.
Impact
An attacker can look for specific security vulnerabilities for the version identified. Also the attacker can use this information in conjunction with the other vulnerabilities in the application or the web server.
Netsparker identified that the target web site is using a MySQL Server. This is generally not a security issue and is reported here for information purposes.
Impact
This issue is reported as additional information only, there is no direct impact arising from this issue.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>DarkBlue Affiliate Network</title> <meta name="keywords" content="Affiliate network, affiliate program, dark blue, affiliate software, merchants and advertisers, affiliates, internet advertising, commissions, webmaster" /> <meta name="description" content="Darkblue.com the number one affiliate program and advertiser campaign network." /> <link rel="stylesheet" type="text/css" href="skins/lander/reset.css" /> <link rel="stylesheet" type="text/css" href="skins/lander/style.css" /> <link rel="shortcut icon" type="image/x-icon" href="skins/lander/images/darkblue.ico"></head><body><div id="password-retrieval"><h2>Password Retrieval</h2><br /> <p>Could not find account with email as -1'OR 1=1 AND 1=(SELECT IF((IFNULL(ASCII(SUBSTRING((SELECT CONCAT(CHAR(78),CHAR(69),CHAR(84),CHAR(83),CHAR(80),CHAR(65),CHAR(82),CHAR(75),CHAR(69),CHAR(82))),5,1)),0)=88),1,2))-- <p><a href="#" onClick="history.go(-1)">Try Again?</a><br></p> <br /> <p>You may now close this window.</p></div></body></html>
Netsparker found e-mail addresses on the web site.
Impact
E-mail addresses discovered within the application can be used by both spam email engines and also brute force tools. Furthermore valid email addresses may lead to social engineering attacks .
Remedy
Use generic email addresses such as contact@ or info@ for general communications, remove user/people specific e-mail addresses from the web site, should this be required use submission forms for this purpose.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>DarkBlue Affiliate Network</title> <meta name="keywords" content="Affiliate network, affiliate program, dark blue, affiliate software, merchants and advertisers, affiliates, internet advertising, commissions, webmaster" /> <meta name="description" content="Darkblue.com the number one affiliate program and advertiser campaign network." /> <link rel="stylesheet" type="text/css" href="skins/lander/style.css" /> <link rel="shortcut icon" type="image/x-icon" href="skins/lander/images/darkblue.ico"></head><body><div id="content"> <div id="contentframe"> <div id="contentheader"> <a href="../index.htm"><img src="../images/btn_home.gif" align="right"></a><img src="../images/hd_privacy.gif"></a> </div> <div id="contentmain"> <div id="mainbody"> <p> <strong>Privacy Policy</strong> </p><h3>DARK BLUE SEA - PRIVACY POLICY</h3> <p>This Privacy Policy explains why and how we collect certain personal information from our customers and the visitors to our websites, and what we do with that information.</p> <p>The Dark Blue Sea group of companies is part of the Photon Group and offers an exciting range of online products and services including domain name registration, website hosting, domain monetization, domain name resale, expiring and deleted domain name services, reseller services and search engine services.</p> <p>The Dark Blue Sea group comprises a number of companies that includes:</p> <ul> <li>Dark Blue Sea Pty Ltd ABN 47 091 509 796</li> <li>Fabulous.com Pty Ltd ABN 64 094 218 443 (operates the business Fabulous Domains)</li> <li>Fabulous Parking Pty Ltd ABN 16 094 225 091</li> <li>Fabulous.com.au Pty Ltd ABN 34 139 626 994 (trading as Drop.com.au)</li> <li>Roar.com Pty Ltd ABN 99 094 225 064</li> <li>Pageseeker.com Pty Ltd ABN 45 090 513 849</li> <li>Darkblue.com Pty Ltd ABN 14 094 225 082</li> <li>Yexa.com Pty Ltd ABN 12 094 225 073</li> <li>Domain8 Pty Ltd ABN 79 135 424 878</li> <li>Yexa.com.au Pty Ltd ABN 84 137 606 172</li> <li>Whois Privacy Services Pty Ltd ABN 65 133 058 741</li> </ul><h4>ABOUT THIS PRIVACY POLICY</h4> <p>This Privacy Policy has been drafted to comply with the National Privacy Principles set out in the <i>Australian Privacy Act 1988 (Cth)</i>. More information about the Privacy Act is available on the Australian Privacy Commissioner's website at <a href="http://www.privacy.gov.au">http://www.privacy.gov.au</a>.</p><h4>WHY WE NEED TO COLLECT PERSONAL INFORMATION</h4> <p>Personal information is any information that identifies you or by which your identity can be reasonably determined.</p> <p>The collection, use and disclosure of personal information is essential to enable us to conduct our business of delivering online products and services to our customers and website visitors. For example most of our products and services require some form of registration or subscription, while others require a payment to be made. Contact details of our customers and website visitors may also be required from time to time to notify them of competition prizes they may have won. </p> <p>Some of the personal information we collect, including that obtained from our online enquiry/feedback facilities, is used to help us develop and improve the quality of our products and services, which in turn, provides our customers and website visitors with a more satisfying and enjoyable online experience.</p> <p>Without collecting and making use of your personal information, we may not be able to provide our online products and services to you.</p><h4>WHAT WE DO WITH YOUR PERSONAL INFORMATION</h4> <p>We use personal information that we collect to conduct our business of delivering online products and services and to continually improve our relationship with you.</p> <p>In order to do this, we share your personal information with our related companies.</p> <p>Personal information may be used to enable us to send you online promotional material on our range of products and services. You may at any time notify us that you do not wish to receive this material via the unsubscribe facility accompanying the material. Once you have notified us, we will not send you any further promotional material. </p><h4>HOW WE COLLECT INFORMATION</h4> <p><b>Personal Information provided to us</b></p> <p>We collect and store personal information that is voluntarily provided by our customers as part of doing business with us. Such information may include a customer's full name, date of birth, addresses (including home, postal and email address) and telephone numbers. We also collect and securely store customer's payment details such as their credit card details (where necessary).</p> <p>We collect this personal information and make use of these details to provide you with our products and services and to better manage our relationship with you.</p> <p><b>Website activity, cookies and related technology</b></p> <p>We provide products and services via a number of different websites. When you view one of our websites, our web server records anonymous information such as the time and date the website is viewed and the web pages/URL's requested. This information assists us to improve the structure of our websites and monitor their performance.<br />We also allow third parties with whom we have entered contractual arrangements ("Advertising Providers") to serve advertising on our websites.<br />We make use of cookies and iframes on our websites and permit Advertising Providers to place and read cookies on end users' browsers. These Advertising Providers may use web beacons or similar technologies to collect information in the course of advertisements being served on our websites.</p> <p>Cookies are pieces of information that a website transfers to your hard drive for record-keeping purposes. The browser stores the information, and sends the information back to the server each time you request a webpage from the server. The use of cookies is an industry standard, utilized by the majority of website operators.</p> <p>Most browsers are initially set up to accept cookies. You can reset your browser to refuse all cookies or indicate when a cookie is being sent. However, some parts of our websites, or the products and services provided through our websites, may not function properly or may be considerably slower if you do not enable cookies on your Internet browser.<br />The National Advertising Initiative ("NAI") offers an opt-out tool (located at <a href="http://www.networkadvertising.org/managin/opt_out.asp">http://www.networkadvertising.org/managin/opt_out.asp</a>) for the purpose of allowing consumers to "opt-out" of the behavioural advertising delivered by its member companies. Some of the third parties with whom we have entered into contractual arrangements are members of NAI.<br />We may have iframes embedded on our websites and may enter into contractual arrangements with third parties so that they may analyse your online behaviour. These iframes allow for the collection of non-personally identifiable information about your website visits.</p> <p><b>IP Addresses</b></p> <p>When you access our websites, our website servers register the type of web browsers that you are using and your IP address.</p> <p>We collect IP addresses for the purposes of system administration, to report aggregate traffic information to our customers, fraud detection and to generally audit the use of our websites. When you request pages from our websites, our servers may log your IP address.</p> <p>We do not normally link IP addresses to any personal information, which means that your session will be logged, but you otherwise remain anonymous.</p> <p>We can and will use your IP address to identify you when it is necessary to enforce compliance with our terms of service or to protect the integrity of our services and websites, as well as to protect our interests and those of our other customers.</p> <p>Some services provided by us, such as certain message boards, may display IP addresses along with the message poster's name and message. Please review each service prior to use and only use those services if you are comfortable with their methods of collection and disclosure of personal information.</p><h4>WHEN WE DISCLOSE PERSONAL INFORMATION</h4> <p>We take all reasonable steps to protect the personal information we hold from misuse and loss and from unauthorized access, modification or disclosure.</p> <p>We may disclose your personal information where you have consented to us doing so. This consent may be express (eg. in writing or verbal) or implied from your conduct. There may however be times where we are required to disclose personal information without your consent eg. when it is required or authorized by law.</p> <p>Personal information that you provide to us may be shared among our related companies. Our related companies are required to keep such information private and confidential and otherwise deal with such personal information strictly in accordance with this Privacy Policy.</p> <p>In order for us to conduct our business, it is necessary to disclose personal information to third parties. We may provide your personal information to third parties with whom we have contracted to provide administrative or other services, including to our affiliated website operators. We will ensure that these third parties are either bound by the Australian Privacy Act or subject to an equivalent law of another jurisdiction.</p> <p>When you utilize our domain name registration services, we provide your personal information to the registry operator for the relevant top level domain name for the purpose of inclusion in their registry database and the WHOIS service as well as to a third party providing registrar data escrow services (as required by our registrar accreditation agreement with the Internet Corporation for Assigned Names and Numbers ("ICANN")). The WHOIS service allows Internet users to query a domain name to find out the identity and contact details of the registrant. The public WHOIS service is a standard feature of domain name systems around the world. Please see auDA's WHOIS policy at <a href="http://www.auda.org.au/whois-policy">http://www.auda.org.au/whois-policy</a> which sets out auDA's guidelines on the collection, disclosure and use of WHOIS data. Please refer to the relevant TLD/ccTLD authority for specific WHOIS data collection policies. We are unable to provide our domain registration services to you without providing your personal information to these parties.</p><h4>TRANSBORDER FLOW OF PERSONAL INFORMATION</h4> <p>We are in the business of delivering online products and services. The Internet has no boundaries and as such we deal with international organizations and companies such as ICANN, registry operators and other service providers. We reasonably believe that these parties are subject to a law, binding scheme or contract which effectively upholds principles of fair handling of the information that are substantially similar to the National Privacy Principles. Without the transfer overseas to these entities, we will be unable to provide our online products and services to you.</p><h4>EPP SHARING ARRANGEMENTS</h4> <p>Fabulous.com.au Pty Ltd, has with the consent of .au Domain Administration Limited, the Australian Domain Name Administrator ("auDA"), entered into an EPP sharing arrangement with Netstart Pty Ltd ACN 111 018 154, an auDA accredited domain name registrar. "EPP" means the connection which the .au registry operator allows registrars to have to the domain name registry. Via the EPP, it is possible for Fabulous.com.au Pty Ltd, Domain8 Pty Ltd and Yexa.com.au Pty Ltd (formerly Domain Candy Pty Ltd) to have access to the registrant information of domain names managed by Netstart Pty Ltd. For this reason, agreements have been signed to protect registrant privacy and whois integrity.</p><h4>PROTECTING KIDS PRIVACY</h4><p>We are committed to complying with the provisions of the <i>Children's Online Privacy Protection Act of 1998</i> (United States) and its rules and regulations. We encourage parents and guardians to spend time online with their children and to participate in the activities offered on our websites. </p> <p><b>Notice to Kids</b></p> <p>If you are under 13 years of age, we must get your parent or guardian's permission before we can collect any personal information about you, such as your name, date of birth and your hobbies. </p> <p>You are allowed to give us either your email address, or the email address of your parent or guardian, so that we can contact them and ask for their permission to collect your personal information. </p> <p>No other information about you should be given to us, or one of our websites, until your parent or guardian has given you permission. </p> <p><b>Notice to Parents</b></p> <p>Before your child can access most of the interactive products and services we provide, they are required to provide us with certain information about themselves, for example, their name, date of birth and contact details, so that we can register them as a member. </p> <p>However, before we collect this personal information from your child, they are required to provide us with an e-mail address at which you, their parent or guardian can be contacted, so that we can obtain your consent. </p> <p>Although users under 13 years of age may be allowed to participate in some contests and promotions, if they win, notification and prizes are sent to the parents or guardians at the address specified in the initial registration process. Publication of contest winners' names, ages, or images for individuals under 13 require parental or guardian consent. </p> <p>Subject to the below exemptions, the personal information that we collect from your child will be subject to and dealt with in accordance with the terms of this Privacy Policy. </p> <p>No information collected from visitors under 13 years of age is used for any promotional purposes whatsoever, unless expressly stated during the collection of this information or during registration for contests or promotions (and in that case, the information collected is used only for the specific contest or promotion). </p> <p>We do not allow visitors under 13 years of age to be listed in our member directory or to receive direct promotional communications from us.</p><h4>LINKS TO OTHER WEBSITES</h4> <p>You should be aware that on our affiliated websites, there are links to third party websites. If you "click" on a banner advertisement, a search result or another type of link contained on one of our sites, the "click" may result in you leaving our site and your browser being redirected to a website owned and controlled by a third party. </p> <p>In this case, we recommend that you refer to the privacy policy of the websites you visit. We have no control over, and hence accept no responsibility for, the content of these sites or the actions of the operators in relation to the collection of personal information of users of these sites. </p> <p>Whilst we make every reasonable effort to protect the privacy of your personal information, we cannot guarantee the security of any information you disclose online and you do so at your own risk. </p> <p>You should keep in mind that whenever you give out personal information online, there is a risk that the information can be intercepted and used by third parties without our knowledge. We are in no way responsible or liable for the misuse of personal information obtained in this manner. </p><h4>ACCESS AND ACCURACY OF PERSONAL INFORMATION</h4> <p>You may request access to any personal information that we hold about you. All requests will be handled as quickly as possible, and we will endeavour to process any request for access within 30 days of its receipt.</p> <p>We may refuse access to personal information in certain circumstances such as where the information relates to anticipated legal proceedings with you, where denying access is required or authorized by law, where providing access would be likely to prejudice an investigation by an enforcement body or where the request for access is regarded as frivolous or vexatious. If we deny you access to personal information or refuse to correct personal information, we will give you reasons as to why.</p><h4>ENSURING PERSONAL INFORMATION IS UP-TO-DATE</h4> <p>It is very important that the personal information that we hold about you is complete, accurate and up-to-date. Please notify us immediately if there has been any change to your personal information.</p> <p>If you register a domain name with us, you will be provided with a unique registry key and/or username/password which may be used to access your personal information as well as to amend/update that personal information.</p><h4>PRIVACY COMPLAINTS</h4> <p>If you believe that we have not protected your personal information in accordance with this Privacy Policy, you can lodge a complaint by:</p> <ul> <li>Emailing: privacy@darkbluesea.com</li> <li>Telephoning: +61 7 3007 0070</li> <li>Faxing: +61 7 3007 0001</li> <li>Writing to us at:<br /> PO Box 757<br /> Fortitude Valley QLD 4006</li> </ul> <p>If you are not satisfied with the result of your complaint to us, you can refer your complaint to the Australian Privacy Commissioner as follows:</p> <ul> <li>Telephoning: +61 1300 363 992</li> <li>Writing to:<br /> Privacy Commissioner<br /> GPO Box 5218<br /> Sydney NSW 2001</li> </ul><h4>YOUR ACCEPTANCE OF THESE TERMS</h4> <p>By using this website or our affiliated websites, you consent to us collecting, using and disclosing your personal information in accordance with this Privacy Policy (as amended from time to time).</p> </div> </div> ..
