Home page logo

bugtraq logo Bugtraq mailing list archives

Still a cgi-security hole in DNSTools (1.10)
From: Wolfgang Wiese <wolfgang.wiese () RRZE UNI-ERLANGEN DE>
Date: Thu, 16 Nov 2000 19:08:37 +0100


following the notice about Version 1.08 of Dnstools
I looked into the new version (1.10) that is currently
downloadable on dnstools.com.
It still contains a sedurity bug by not parsing input-values.

I saw the author improved the script by entering the subroutine
There the input-values are parsed with the line

But It's still possible to insert 'dangerous' chars by using a
hexadecimal strings, like within x00-x20.

My advise would be to make an inverse parsing:
Delete everything, that is not allowed.
Like this:

The author was informed today at 13:55 MET and
he answered at 16:05 MET that he will fix the problem
in time.


  Dipl. Inf. Wolfgang Wiese                   XWolf CGI & Webworking
  xwolf () xwolf com                               http://www.xwolf.com
            PGP-key: http://www.xwolf.com/public-key.txt

  By Date           By Thread  

Current thread:
  • Still a cgi-security hole in DNSTools (1.10) Wolfgang Wiese (Nov 17)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]