hi, i found security bug in file axfr-get.php. You can run any program on http server machine. Try this: axfr_get.php?hostname=a; echo&domain=a Patch is attached.
thx
--- axfr_get.php.orig Sat Mar 13 18:52:30 2004 +++ axfr_get.php Sat Mar 13 19:20:52 2004 @@ -45,7 +45,7 @@ $rand = rand(); $file = "/tmp/$domain.$rand"; -$command = "/usr/local/bin/tcpclient $hostname 53 /usr/local/bin/axfr-get $domain $file $file.tmp 2>&1"; +$command = "/usr/local/bin/tcpclient '".escapeshellarg($hostname)."' 53 /usr/local/bin/axfr-get '".escapeshellarg($domain)."' $file $file.tmp 2>&1"; exec($command, $out); // Print any errors first
