Date: Thu, 16 Nov 2000 19:08:37 +0100 From: Wolfgang Wiese <wolfgang.wiese@RRZE.UNI-ERLANGEN.DE> Subject: Still a cgi-security hole in DNSTools (1.10) To: BUGTRAQ@SECURITYFOCUS.COM Hi, following the notice about Version 1.08 of Dnstools I looked into the new version (1.10) that is currently downloadable on dnstools.com. It still contains a sedurity bug by not parsing input-values. Details: I saw the author improved the script by entering the subroutine ParseForSecurity(). There the input-values are parsed with the line $parse_data=~s/[;`\*&]//g; But It's still possible to insert 'dangerous' chars by using a hexadecimal strings, like within x00-x20. Bugfix: My advise would be to make an inverse parsing: Delete everything, that is not allowed. Like this: $parse_data=~s/[^a-zA-Z0-9\-_\.]//g; The author was informed today at 13:55 MET and he answered at 16:05 MET that he will fix the problem in time. Ciao, Wolfgang -- ______________________________________________________________________ Dipl. Inf. Wolfgang Wiese XWolf CGI & Webworking xwolf@xwolf.com http://www.xwolf.com ______________________________________________________________________ PGP-key: http://www.xwolf.com/public-key.txt