[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: whois_raw.cgi problem
On Wed, Jun 02, 1999 at 12:16:42AM +0200, Peter van Dijk wrote:
> On Tue, Jun 01, 1999 at 12:34:51AM +0200, Salvatore Sanfilippo -antirez- wrote:
> > Hi,
> >
> > sorry if this has already been known.
> >
> > There is a problem in whois_raw.cgi, called from
> > whois.cgi. whois_raw.cgi is part of cdomain v1.0.
> > I don't know if new versions are vulnerable.
>
> Version 2.0 is just as vulnerable.
>
> The commercial version (the one that runs on NT too :) is _not_ vulnerable
> since it does it's own socket thing instead of starting 'whois'.
>
> I've known of this bug in cdomain for about 6 months but never got around
> to writing up an advisory...
To elaborate this a bit further: cdomain-free 2.4 and lower are
_vulnerable_. cdomain-free 2.5 and all commercial cdomain versions I've
seen are _not_ vulnerable, because they connect to the whois servers
themselves.
cdomain-free is available for download at www.cdomain.com.
Greetz, Peter
--
| 'He broke my heart, | Peter van Dijk |
I broke his neck' | peter@attic.vuurwerk.nl |
nognikz - As the sun | Hardbeat@ircnet - #cistron/#linux.nl |
| Hardbeat@undernet - #groningen/#kinkfm/#vdh |