* Paul Vixie: > # > Tony Finch > Tuesday, October 14, 2014 5:31 AM > > A CGI script invoked by Apache httpd with HostnameLookups On > (the default is Off, a safer setting is Double) > > thanks, that makes sense. the security advisory posted here did not > mention any real world examples. i agree that apache with > HostnameLookups turned on, on redhat or apple systems where /bin/sh > is bash, is a real world example.
There have been reports that this is a problem with the Apple system resolver. Red Hat Enterprise Linux does not have this vector. It uses the regular glibc resolver, which is based on the old BIND stub resolver, and this code has both escaping from wire format to the textual representation (which destroys the magic pattern) and the res_hnok check (which rejects shell meta-characters). _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
