— FEATURED —
The Man Who Laughs: grotesque Victor Hugo potboiler was the basis for The Joker
Eurovision 2013: An American in London
The Twelve-Fingered Boy - mesmerizing YA horror novel
ADVERTISE AT BOING BOING!
— COMICS —
Tom the Dancing Bug
TOM THE DANCING BUG: The Truth Behind the Nixonian Presidency of Obama
Brain Rot: Hip Hop Family Tree, Compton, Lonzo Williams and the Wreckin' Cru
Real Stuff: Bad Trip
— GUATEMALA SPECIAL SERIES —
Photos: Throughout Latin America, protests demand justice for Guatemala after genocide trial overturned
Guatemala: protests condemn annulment of Rios Montt trial, while ex-president Portillo extradited to US
NYT Editorial Board: "Justice Interrupted in Guatemala"
— RECENTLY —
Black Code: how spies, cops and crims are making cyberspace unfit for human habitation
We Can Fix it! - a graphic novel time travel memoir
The technology that links taxonomy and Star Trek
Odd Duck: great picture book about eccentricity and ducks
Scatter, Adapt, and Remember: How Humans Will Survive a Mass Extinction
Illustrator William Stout's Legends of the Blues - exclusive excerpt
Hackers prepare for first "national holiday" in their honor
Review: Disunion, the VR guillotine simulator
Mousetronaut: kids' picture book about mouse in space, written by a Shuttle pilot
Review: Pebble e-paper watch
— FOLLOW US —
Boing Boing is on Twitter and Facebook. Subscribe to our RSS feed or daily email.
— POLICIES —
Except where indicated, Boing Boing is licensed under a Creative Commons License permitting non-commercial sharing with attribution
— FONTS —
Cory Doctorow at 1:50 pm Sun, Aug 26, 2012
So basically the issue is that if you fire up a web service that do DNS lookups for you (i’ll stick to nslookup or dig, thanks), said service may not bother to sanity check the response before mixing it with the result display template. I do wonder how much DNSSEC affects this.
It’s whether the same exploit can be used in REVERSE DNS lookups that has the discovered concerned, as that would open practically any web server to badness. I think his secondary concern of SQL injections is interesting but less likely to cause any real mischief.
The response would still have to hit a html engine somehow to be effective tho, right?
That’s like complaining about C. Or web browsers. Or Java applets. Or Flash. Or your computer, for that matter.
They’re all just a bunch of tools.
Hammer and nails, what terrible things will they do next?