[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Re: CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution
From: Eduardo Tongson <propolice () gmail ! com>
Date: 2014-04-22 7:46:48
Message-ID: CANDc0N+RU6oJ0aDYUGGB6o9AQCD9HODEX58+r838Kzf3Ly=mPw () mail ! gmail ! com
[Download RAW message or body]
On Tue, Apr 22, 2014 at 12:11 PM, <cve-assign@mitre.org> wrote:
> ...
> Use CVE-2014-2913.
>
>
Thanks.
> We have not seen additional comments about whether \r would prevent an
> alternate attack approach. If it does, a separate CVE ID would be
> assigned. We do not know of a version of Bash in which \r separates
> commands in the same way that \n does. For example:
>
> % /bin/bash -c "`echo -e "echo a\x0aecho b"`" | cat -v
> a
> b
> % /bin/bash -c "`echo -e "echo a\x0decho b"`" | cat -v
> a^Mecho b
>
Agreed. It's pointless to add a bunch of characters to a blacklist if
they do not have any effect.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic