[17671] in bugtraq
Still a cgi-security hole in DNSTools (1.10)
daemon@ATHENA.MIT.EDU (Wolfgang Wiese)
Thu Nov 16 18:44:01 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <3A1422A5.E431BE79@rrze.uni-erlangen.de>
Date: Thu, 16 Nov 2000 19:08:37 +0100
Reply-To: Wolfgang Wiese <wolfgang.wiese@RRZE.UNI-ERLANGEN.DE>
From: Wolfgang Wiese <wolfgang.wiese@RRZE.UNI-ERLANGEN.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
Hi,
following the notice about Version 1.08 of Dnstools
I looked into the new version (1.10) that is currently
downloadable on dnstools.com.
It still contains a sedurity bug by not parsing input-values.
Details:
I saw the author improved the script by entering the subroutine
ParseForSecurity().
There the input-values are parsed with the line
$parse_data=~s/[;`\*&]//g;
But It's still possible to insert 'dangerous' chars by using a
hexadecimal strings, like within x00-x20.
Bugfix:
My advise would be to make an inverse parsing:
Delete everything, that is not allowed.
Like this:
$parse_data=~s/[^a-zA-Z0-9\-_\.]//g;
The author was informed today at 13:55 MET and
he answered at 16:05 MET that he will fix the problem
in time.
Ciao,
Wolfgang
--
______________________________________________________________________
Dipl. Inf. Wolfgang Wiese XWolf CGI & Webworking
xwolf@xwolf.com http://www.xwolf.com
______________________________________________________________________
PGP-key: http://www.xwolf.com/public-key.txt
