LookingGlass v1.3.0
Вышло обновление скрипта, закрывающее XSS
1.3.0 (2015-01-25)
github.com/telephone/LookingGlass
github.com/telephone/LookingGlass#updating
It was brought to my attention last week that an RDNS XSS could exploit LookingGlass. As it turns out, illegal characters are not filtered on a lower level (as RFC1034 would suggest).
LookingGlass was vulnerable as it simply outputs the contents from a terminal. The fix applied uses htmlspecialchars() to filter stdout from terminal.
1.3.0 (2015-01-25)
- Fix RDNS XSS
- Fix ' ' being escaped by temporary patch (SHA a421a8e)
- Fix 'REQUEST_URI' XSS (URL is now hard-coded via config)
- Catch error when using IPv6 hostname with IPv4 command, and vice versa
- Added .htaccess (fixes readable subdirectory)
- Added sample Nginx configuration (fixes readable subdirectory)
- GNU shred to create test files (fixes gzip and ssl compression)
- Update configure.sh (add site url, sudo for centOS, and user:group chown)
- Update cerulean and united to Bootstrap v2.3.2
- Update readable and spacelab to Bootstrap v2.2.1
- Update Jquery to v1.11.2
- Update XMLHttpRequest.js
github.com/telephone/LookingGlass
github.com/telephone/LookingGlass#updating