[RELEASE] LookingGlass v1.3.0 (Maintenance/Security)

Discussion in 'Coding, Scripting & Programming' started by telephone, Jan 26, 2015.

  1. telephone

    telephone New Member

    190
    260
    May 16, 2013
    Releasing LookingGlass v1.3.0:


    Project page: LookingGlass

    Security:


    It was brought to my attention last week that an RDNS XSS could exploit LookingGlass. As it turns out, illegal characters are not filtered on a lower level (as RFC1034 would suggest).
    LookingGlass was vulnerable as it simply outputs the contents from a terminal. The fix applied uses "htmlspecialchars()" to filter stdout from terminal.

    What's the lesson here? Never trust anyone/anything! :)

    For more information on this type of exploit, visit:  ZoczuS Blog - How Reverse DNS can help us with XSS, SQLi, RCE...

    Changelog:


    * 1.3.0 (2015-01-25)
    * Fix RDNS XSS
    * Fix ' ' being escaped by temporary patch (SHA a421a8e)
    * Fix 'REQUEST_URI' XSS (URL is now hard-coded via config)
    * Catch error when using IPv6 hostname with IPv4 command, and vice versa
    * Added .htaccess (fixes readable subdirectory)
    * Added sample Nginx configuration (fixes readable subdirectory)
    * GNU shred to create test files (fixes gzip and ssl compression)
    * Update configure.sh (add site url, sudo for centOS, and user:group chown)
    * Update cerulean and united to Bootstrap v2.3.2
    * Update readable and spacelab to Bootstrap v2.2.1
    * Update Jquery to v1.11.2
    * Update XMLHttpRequest.js
    Updating:

    Q. Should I update if I've applied the patch fix?
    A. YES!!!

    For information on how to update, please visit the README. (BBCode formatting sucks for in-line code blocks).

    Version 2:

    Q. When will the rumoured v2 be released?
    A. Soon™
     
  2. drmike

    drmike 100% Tier-1 Gogent

    8,573
    2,717
    May 13, 2013
    "GNU shred to create test files (fixes gzip and ssl compression)"

    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! YIPPIES !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    The able-to-be-compressed files have long been a point of my agitation.  Speed tests should be RANDOM data and not compress enhanced or able to be.

    This change, a very good thing @telephone .
     
    Last edited by a moderator: Jan 29, 2015
  3. HalfEatenPie

    HalfEatenPie The Irrational One Retired Staff

    2,890
    1,386
    Mar 25, 2013
    HalfEatenPie
  4. William

    William pr0 Verified Provider

    440
    191
    Oct 10, 2013
    Thats pretty h0m0 though :)

    Anyway; good software, can't complain.
     
  5. RLT

    RLT Active Member

    180
    58
    Nov 9, 2013
    Very nice job.
     
  6. HalfEatenPie

    HalfEatenPie The Irrational One Retired Staff

    2,890
    1,386
    Mar 25, 2013
    HalfEatenPie
    Hehe nothing wrong with Bromance
     
  7. Stack

    Stack New Member

    10
    0
    Feb 3, 2015
    I love using LookingGlass for insights for my customers, great software I must say!