telephone
New Member
Releasing LookingGlass v1.3.0:
Project page: LookingGlass
Security:
It was brought to my attention last week that an RDNS XSS could exploit LookingGlass. As it turns out, illegal characters are not filtered on a lower level (as RFC1034 would suggest).
LookingGlass was vulnerable as it simply outputs the contents from a terminal. The fix applied uses "htmlspecialchars()" to filter stdout from terminal.
What's the lesson here? Never trust anyone/anything!
For more information on this type of exploit, visit: ZoczuS Blog - How Reverse DNS can help us with XSS, SQLi, RCE...
Changelog:
* 1.3.0 (2015-01-25)
* Fix RDNS XSS
* Fix ' ' being escaped by temporary patch (SHA a421a8e)
* Fix 'REQUEST_URI' XSS (URL is now hard-coded via config)
* Catch error when using IPv6 hostname with IPv4 command, and vice versa
* Added .htaccess (fixes readable subdirectory)
* Added sample Nginx configuration (fixes readable subdirectory)
* GNU shred to create test files (fixes gzip and ssl compression)
* Update configure.sh (add site url, sudo for centOS, and user:group chown)
* Update cerulean and united to Bootstrap v2.3.2
* Update readable and spacelab to Bootstrap v2.2.1
* Update Jquery to v1.11.2
* Update XMLHttpRequest.js
Updating:
Q. Should I update if I've applied the patch fix?
A. YES!!!
For information on how to update, please visit the README. (BBCode formatting sucks for in-line code blocks).
Version 2:
Q. When will the rumoured v2 be released?
A. Soon™
Project page: LookingGlass
Security:
It was brought to my attention last week that an RDNS XSS could exploit LookingGlass. As it turns out, illegal characters are not filtered on a lower level (as RFC1034 would suggest).
LookingGlass was vulnerable as it simply outputs the contents from a terminal. The fix applied uses "htmlspecialchars()" to filter stdout from terminal.
What's the lesson here? Never trust anyone/anything!
For more information on this type of exploit, visit: ZoczuS Blog - How Reverse DNS can help us with XSS, SQLi, RCE...
Changelog:
* 1.3.0 (2015-01-25)
* Fix RDNS XSS
* Fix ' ' being escaped by temporary patch (SHA a421a8e)
* Fix 'REQUEST_URI' XSS (URL is now hard-coded via config)
* Catch error when using IPv6 hostname with IPv4 command, and vice versa
* Added .htaccess (fixes readable subdirectory)
* Added sample Nginx configuration (fixes readable subdirectory)
* GNU shred to create test files (fixes gzip and ssl compression)
* Update configure.sh (add site url, sudo for centOS, and user:group chown)
* Update cerulean and united to Bootstrap v2.3.2
* Update readable and spacelab to Bootstrap v2.2.1
* Update Jquery to v1.11.2
* Update XMLHttpRequest.js
Updating:
Q. Should I update if I've applied the patch fix?
A. YES!!!
For information on how to update, please visit the README. (BBCode formatting sucks for in-line code blocks).
Version 2:
Q. When will the rumoured v2 be released?
A. Soon™
