[RELEASE] LookingGlass v1.3.0 (Maintenance/Security)
Releasing LookingGlass v1.3.0:
Project page: LookingGlass
It was brought to my attention last week that an RDNS XSS could exploit LookingGlass.
As it turns out, illegal characters are not filtered on a lower level (as RFC1034 would suggest).
LookingGlass was vulnerable as it simply outputs the contents from a terminal. The fix applied uses
to filter stdout from terminal.
What's the lesson here? Never trust anyone/anything!
For more information on this type of exploit, visit:
ZoczuS Blog - How Reverse DNS can help us with XSS, SQLi, RCE...
- 1.3.0 (2015-01-25)
* Fix RDNS XSS
* Fix ' ' being escaped by temporary patch (SHA a421a8e)
* Fix 'REQUEST_URI' XSS (URL is now hard-coded via config)
* Catch error when using IPv6 hostname with IPv4 command, and vice versa
* Added .htaccess (fixes readable subdirectory)
* Added sample Nginx configuration (fixes readable subdirectory)
* GNU shred to create test files (fixes gzip and ssl compression)
* Update configure.sh (add site url, sudo for centOS, and user:group chown)
* Update cerulean and united to Bootstrap v2.3.2
* Update readable and spacelab to Bootstrap v2.2.1
* Update Jquery to v1.11.2
* Update XMLHttpRequest.js
Q. Should I update if I've applied the patch fix?
Steps to update:
- Download LookingGlass to the folder containing
your existing install
2. Extract archive:
tar -zxvf LookingGlass-1.3.0.tar.gz --overwrite --strip-components 1
* This will overwrite/update existing files
3. Navigate to the
LookingGlass subdirectory in terminal
5. Follow the instructions and
configure.sh will take care of the rest
* Note: Re-enter test files to create random test files from
For information on how to update, please visit the README.
Q. When will the rumoured v2 be released?