OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: DNSTools v1.08 has no input validation
From: Jonathan Leto (jonathanLETO.NET)
Date: Thu Mar 02 2000 - 07:59:15 CST


Hello all.

Dnstools 1.08 ( available at http://www.dnstools.com/dnst_v1.tgz ) has 18 cgi
scripts with various functions, like AddMx, DeleteDomain, that all start off like
this:

-----------------
#!/usr/bin/perl

use CGI;
use DBI;
my $CGI = new CGI;

########################################################
### Get all of the values from the web form
########################################################

my $host_name;
my $domain_name;

$host_name = $CGI->param("host_name");
$domain_name = $CGI->param("domain_name");

$error_description = "";
my $error_code = system("/usr/local/dnstools/delete_mx -d \"$domain_name\" -n \"$host_name\"");

-------------

Not a lick of input validation is done, so executing and poking around the filesystem as the webserver
is possible. It doesn't even vainly check the referrer.
This costs $800??

--
jonathanleto.net
http://leto.net
"With pain comes clarity."