oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request - dns-sync node module

From: Steve Kemp <steve () steve org uk>
Date: Fri, 5 Dec 2014 16:04:04 +0000

  This never did receive an allocation, did it?

On Tue Nov 11, 2014 at 20:02:40 +0000, Steve Kemp wrote:


  The dns-sync library for node.js allows resolving hostnames in
 a synchronous fashion

  All versions of dns-sync prior to the release 0.1.1 were
 vulnerable to arbitrary command execution via maliciously
 formed hostnames.  For example:

    var dnsSync = require('dns-sync');
    console.log(dnsSync.resolve('$(id > /tmp/foo)'));

  This is caused by the hostname being passed through a shell
 as part of a command execution.

  I disclosed/reported this here:

        https://github.com/skoranga/node-dns-sync/issues/1

  The following commit resolves the bug:

        https://github.com/skoranga/node-dns-sync/commit/d9abaae384b198db1095735ad9c1c73d7b890a0d



Steve
--
Git-based DNS hosting
https://dns-api.com/
Previous By Date Next
Previous By Thread Next

Current thread: