Vulnerability Development mailing list archives
Vulnerability in xinetd (Found)
From: ml <ml () BLAS NET>
Date: Fri, 16 Mar 2001 21:33:39 +0100
Here is what I found. At the time of the pseudo-intrusion, there was effectively a host name in the filter and the current version is 2.1.88p1. xinetd Connection Filtering Via Hostname Vulnerability RELEASED: June 04, 2000 AFFECTS: xinetd 2.1.87, 88, 89 almost all versions REFERENCE: http://www.securityfocus.com/bid/1381 If a hostname is specified to limit access to a service instead of an IP (for instance, specifying 'localhost' instead of 127.0.0.1), any host which attempts to connect to the service that does not have a reverse record will be able to connect, when they should actually be denied. SAFER Upgrading to version 2.1.8.8p3 or 2.1.8.9pre6, or later, will eliminate this vulnerability Thanks, and sorry for the disturbance of the mailing-list, db
Current thread:
- Vulnerability in xinetd (Found) ml (Mar 16)