[RELEASE] LookingGlass v1.3.0 (Maintenance/Security)


New Member
Releasing LookingGlass v1.3.0:

Project page: LookingGlass


It was brought to my attention last week that an RDNS XSS could exploit LookingGlass. As it turns out, illegal characters are not filtered on a lower level (as RFC1034 would suggest).
LookingGlass was vulnerable as it simply outputs the contents from a terminal. The fix applied uses "htmlspecialchars()" to filter stdout from terminal.

What's the lesson here? Never trust anyone/anything! :)

For more information on this type of exploit, visit:  ZoczuS Blog - How Reverse DNS can help us with XSS, SQLi, RCE...


* 1.3.0 (2015-01-25)
* Fix ' ' being escaped by temporary patch (SHA a421a8e)
* Fix 'REQUEST_URI' XSS (URL is now hard-coded via config)
* Catch error when using IPv6 hostname with IPv4 command, and vice versa
* Added .htaccess (fixes readable subdirectory)
* Added sample Nginx configuration (fixes readable subdirectory)
* GNU shred to create test files (fixes gzip and ssl compression)
* Update (add site url, sudo for centOS, and user:group chown)
* Update cerulean and united to Bootstrap v2.3.2
* Update readable and spacelab to Bootstrap v2.2.1
* Update Jquery to v1.11.2
* Update XMLHttpRequest.js

Q. Should I update if I've applied the patch fix?
A. YES!!!

For information on how to update, please visit the README. (BBCode formatting sucks for in-line code blocks).

Version 2:

Q. When will the rumoured v2 be released?
A. Soon™


100% Tier-1 Gogent
"GNU shred to create test files (fixes gzip and ssl compression)"

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! YIPPIES !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

The able-to-be-compressed files have long been a point of my agitation.  Speed tests should be RANDOM data and not compress enhanced or able to be.

This change, a very good thing @telephone .
Last edited by a moderator:


New Member
I love using LookingGlass for insights for my customers, great software I must say!