Actions
Bug #16763
closed
Potential Stored XSS in ``diag_arp.php`` when using ISC DHCP
Start date:
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
26.07
Release Notes:
Default
Affected Version:
Affected Architecture:
Description
There is a potential stored XSS possible due to the way diag_arp.php prints hostnames retrieved from the DHCP lease database when using the ISC DHCP backend.
A malicious DHCP client on a local network connected to an interface with ISC DHCP service active can send a specially-crafted hostname containing an XSS payload. The ISC DHCP daemon will accept that hostname and store it in the leases database. The diag_arp.php page reads the DHCP lease database when resolving hostnames to display on the page, and it prints those hostnames without encoding.
This does not affect the Kea DHCP backend as it properly cleans up the hostname of any invalid characters before storing the value, rendering it inert.
Updated by
Actions