oss-sec mailing list archives
Re: CVE Request - dns-sync node module
From: Steve Kemp <steve () steve org uk>
Date: Fri, 5 Dec 2014 16:04:04 +0000
This never did receive an allocation, did it? On Tue Nov 11, 2014 at 20:02:40 +0000, Steve Kemp wrote:
The dns-sync library for node.js allows resolving hostnames in a synchronous fashion All versions of dns-sync prior to the release 0.1.1 were vulnerable to arbitrary command execution via maliciously formed hostnames. For example: var dnsSync = require('dns-sync'); console.log(dnsSync.resolve('$(id > /tmp/foo)')); This is caused by the hostname being passed through a shell as part of a command execution. I disclosed/reported this here: https://github.com/skoranga/node-dns-sync/issues/1 The following commit resolves the bug: https://github.com/skoranga/node-dns-sync/commit/d9abaae384b198db1095735ad9c1c73d7b890a0d
Steve -- Git-based DNS hosting https://dns-api.com/
Current thread:
- CVE Request - dns-sync node module Steve Kemp (Nov 11)
- Re: CVE Request - dns-sync node module Steve Kemp (Dec 05)