DNSTools输入验证漏洞

漏洞信息详情

DNSTools输入验证漏洞

• CNNVD编号：CNNVD-200003-004
• 危害等级： 超危
  
  
• CVE编号：
  CVE-2000-0177
  
• 漏洞类型：
  
  
  输入验证
  
• 发布时间：
  
  2000-03-02
  
• 威胁类型：
  
  
  远程
  
• 更新时间：
  
  2005-10-20
  
• 厂        商：
  
  dnstools_software
• 漏洞来源：
  This vulnerability…

DNSTools CGI应用程序存在漏洞。远程攻击者借助shell元字符可以执行任意命令。

Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.
The vendor has been contacted and have patched the 1.10 release of DNSTools. See message from Wolfgang Wiese in reference section.
The best short term solution is to disable the DNSTools CGIs all together. If you feel confident, the code can be editted to prevent the vulnerabilities by dictating that only acceptable characters be allowed in post variables. This could be achieved as follows:
if(!($domain_name =~ /^[a-zA-Z]*$/)) { print “Error”; exit -1;};
Assuming only A-Z and a-z are allowable characters. Please note, this will not address all the problematic post variables, nor is it guaranteed to eliminate other problems.
@rrze.uni-erlangen.de>

来源: BID
名称: 1028
链接:http://www.securityfocus.com/bid/1028

来源: BUGTRAQ
名称: 20000302 DNSTools v1.08 has no input validation
链接:http://archives.neohapsis.com/archives/bugtraq/2000-03/0000.html