Releasing LookingGlass v1.3.0:
Project page: LookingGlass
Security:
It was brought to my attention last week that an RDNS XSS could exploit LookingGlass. As it turns out, illegal characters are not filtered on a lower level (as RFC1034 would suggest).
LookingGlass was vulnerable as it simply outputs the contents from a terminal. The fix applied uses htmlspecialchars() to filter stdout from terminal.
What's the lesson here? Never trust anyone/anything! :)
For more information on this type of exploit, visit: ZoczuS Blog - How Reverse DNS can help us with XSS, SQLi, RCE...
Changelog:
- 1.3.0 (2015-01-25)
- Fix RDNS XSS
- Fix ' ' being escaped by temporary patch (SHA a421a8e)
- Fix 'REQUEST_URI' XSS (URL is now hard-coded via config)
- Catch error when using IPv6 hostname with IPv4 command, and vice versa
- Added .htaccess (fixes readable subdirectory)
- Added sample Nginx configuration (fixes readable subdirectory)
- GNU shred to create test files (fixes gzip and ssl compression)
- Update configure.sh (add site url, sudo for centOS, and user:group chown)
- Update cerulean and united to Bootstrap v2.3.2
- Update readable and spacelab to Bootstrap v2.2.1
- Update Jquery to v1.11.2
- Update XMLHttpRequest.js
Updating:
Q. Should I update if I've applied the patch fix?
A. YES!!!
Steps to update:
- Download LookingGlass to the folder containing your existing install
- Extract archive:
tar -zxvf LookingGlass-v1.3.0.tar.gz --overwrite --strip-components 1
- This will overwrite/update existing files
- Navigate to the
LookingGlasssubdirectory in terminal- Run
bash configure.sh- Follow the instructions and
configure.shwill take care of the rest
- Note: Re-enter test files to create random test files from
GNU shred
For information on how to update, please visit the README.
Version 2:
Q. When will the rumoured v2 be released?
A. Soon™
http://ift.tt/1dvHQ0Z
0 comments:
Post a Comment