COMMAND

    DNSTools

SYSTEMS AFFECTED

    DNSTools 1.10

PROBLEM

    Wolfgang  Wiese  found  following.   Following  the  notice  about
    Version 1.08 of Dnstools Wiese looked into the new version  (1.10)
    that is currently downloadable on dnstools.com.  It still contains
    a sedurity bug by not parsing input-values.

    Wiese  saw  the  author  improved  the  script  by  entering   the
    subroutine

        ParseForSecurity()

    There the input-values are parsed with the line

        $parse_data=~s/[;`\*&]//g;

    But it's  still possible  to insert  'dangerous' chars  by using a
    hexadecimal strings, like within x00-x20.

SOLUTION

    My advise would be to make an inverse parsing: delete  everything,
    that is not allowed.  Like this:

        $parse_data=~s/[^a-zA-Z0-9\-_\.]//g;

    Fix should be available.