Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

[RELEASE] LookingGlass v1.3.0 (Maintenance/Security)
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

[RELEASE] LookingGlass v1.3.0 (Maintenance/Security)

telephonetelephone Member
edited January 2015 in General

Releasing LookingGlass v1.3.0:

Project page: LookingGlass

Security:

It was brought to my attention last week that an RDNS XSS could exploit LookingGlass.
As it turns out, illegal characters are not filtered on a lower level (as RFC1034 would suggest).
LookingGlass was vulnerable as it simply outputs the contents from a terminal. The fix applied uses htmlspecialchars()
to filter stdout from terminal.

What's the lesson here? Never trust anyone/anything! :)

For more information on this type of exploit, visit:
ZoczuS Blog - How Reverse DNS can help us with XSS, SQLi, RCE...

Changelog:

  • 1.3.0 (2015-01-25)

* Fix RDNS XSS
* Fix ' ' being escaped by temporary patch (SHA a421a8e)
* Fix 'REQUEST_URI' XSS (URL is now hard-coded via config)
* Catch error when using IPv6 hostname with IPv4 command, and vice versa
* Added .htaccess (fixes readable subdirectory)
* Added sample Nginx configuration (fixes readable subdirectory)
* GNU shred to create test files (fixes gzip and ssl compression)
* Update configure.sh (add site url, sudo for centOS, and user:group chown)
* Update cerulean and united to Bootstrap v2.3.2
* Update readable and spacelab to Bootstrap v2.2.1
* Update Jquery to v1.11.2
* Update XMLHttpRequest.js

Updating:

Q. Should I update if I've applied the patch fix?
A. YES!!!

Steps to update:

  1. Download LookingGlass to the folder containing

your existing install
2. Extract archive: tar -zxvf LookingGlass-1.3.0.tar.gz --overwrite --strip-components 1
* This will overwrite/update existing files
3. Navigate to the LookingGlass subdirectory in terminal
4. Run bash configure.sh
5. Follow the instructions and configure.sh will take care of the rest
* Note: Re-enter test files to create random test files from GNU shred

For information on how to update, please visit the README.

Version 2:

Q. When will the rumoured v2 be released?
A. Soon™

Thanked by 1HalfEatenPie

Comments

Sign In or Register to comment.