Date: Fri, 5 Dec 2014 16:04:04 +0000 From: Steve Kemp <steve@...ve.org.uk> To: oss-security@...ts.openwall.com Subject: Re: CVE Request - dns-sync node module This never did receive an allocation, did it? On Tue Nov 11, 2014 at 20:02:40 +0000, Steve Kemp wrote: > > The dns-sync library for node.js allows resolving hostnames in > a synchronous fashion > > All versions of dns-sync prior to the release 0.1.1 were > vulnerable to arbitrary command execution via maliciously > formed hostnames. For example: > > var dnsSync = require('dns-sync'); > console.log(dnsSync.resolve('$(id > /tmp/foo)')); > > This is caused by the hostname being passed through a shell > as part of a command execution. > > I disclosed/reported this here: > > https://github.com/skoranga/node-dns-sync/issues/1 > > The following commit resolves the bug: > > https://github.com/skoranga/node-dns-sync/commit/d9abaae384b198db1095735ad9c1c73d7b890a0d Steve -- Git-based DNS hosting https://dns-api.com/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.