[10691] in bugtraq
Re: whois_raw.cgi problem
daemon@ATHENA.MIT.EDU (Peter van Dijk)
Tue Jun 1 18:38:22 1999
Mail-Followup-To: BUGTRAQ@NETSPACE.ORG
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990602001642.L1244@attic.vuurwerk.nl>
Date: Wed, 2 Jun 1999 00:16:42 +0200
Reply-To: Peter van Dijk <peter@ATTIC.VUURWERK.NL>
From: Peter van Dijk <peter@ATTIC.VUURWERK.NL>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19990601003451.A2973@mclink.it>; from Salvatore Sanfilippo
-antirez- on Tue, Jun 01, 1999 at 12:34:51AM +0200
On Tue, Jun 01, 1999 at 12:34:51AM +0200, Salvatore Sanfilippo -antirez- wrote:
> Hi,
>
> sorry if this has already been known.
>
> There is a problem in whois_raw.cgi, called from
> whois.cgi. whois_raw.cgi is part of cdomain v1.0.
> I don't know if new versions are vulnerable.
Version 2.0 is just as vulnerable.
The commercial version (the one that runs on NT too :) is _not_ vulnerable
since it does it's own socket thing instead of starting 'whois'.
I've known of this bug in cdomain for about 6 months but never got around
to writing up an advisory...
Greetz, Peter
--
| 'He broke my heart, | Peter van Dijk |
I broke his neck' | peter@attic.vuurwerk.nl |
nognikz - As the sun | Hardbeat@ircnet - #cistron/#linux.nl |
| Hardbeat@undernet - #groningen/#kinkfm/#vdh |
