Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 18 Apr 2014 09:03:17 +0100
From: John Haxby <john.haxby@...cle.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution


On 18 Apr 2014, at 07:16, gremlin@...mlin.ru wrote:

> On 18-Apr-2014 10:14:16 +0800, Eduardo Tongson wrote:
> 
>> Details: http://seclists.org/fulldisclosure/2014/Apr/240
>> Fix:
> 
>> --- nrpe/src/nrpe.c
>> +++ nrpe/src/nrpe.c
>> -#define NASTY_METACHARS         "|`&><'\"\\[]{};"
>> +#define NASTY_METACHARS         "|`&><'\"\\[]{};\n"
> 
> Adding \r here may be a good idea as well...


And Ď$í   you have ` but you donít guard against $(do something unpleasant).

jch

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ