Bug #6737: diag_dns.php: DNS results printed without encoding, leading to an XSS - pfSense - pfSense bugtracker

Bug #6737

diag_dns.php: DNS results printed without encoding, leading to an XSS

Added by Jim Pingle over 4 years ago. Updated about 4 years ago.

Status:

Resolved

Priority:

High

Assignee:

Jim Pingle

Category:

Web Interface

Target version:

2.3.2-p1

Start date:

08/22/2016

Due date:

% Done:

100%

Estimated time:

Affected Version:

All

Affected Architecture:

All

Release Notes:

Default

Description

There is a potential XSS in diag_dns.php from a lack of encoding on the DNS replies.

If a query is entered for xss.uparo.com, a script alert is shown.

Associated revisions

Revision d2466ce6 (diff)
Added by Jim Pingle over 4 years ago

Add output encoding to diag_dns.php for results returned from DNS. Fixes #6737

Revision 9cbc340f (diff)
Added by Jim Pingle over 4 years ago

Add output encoding to diag_dns.php for results returned from DNS. Fixes #6737

Revision a92de66e (diff)
Added by Jim Pingle over 4 years ago

Add output encoding to diag_dns.php for results returned from DNS. Fixes #6737

History

#1 Updated by Jim Pingle over 4 years ago

Status changed from Assigned to Feedback
% Done changed from 0 to 100

Applied in changeset d2466ce6f5f45300ebeccea93ef4b7c35f8e1f02.

#2 Updated by Jim Pingle over 4 years ago

Status changed from Feedback to Resolved

#3 Updated by Jim Pingle about 4 years ago

Private changed from Yes to No

Also available in: Atom PDF

Project

General

Profile

pfSense

Issues

Custom queries

Bug #6737

diag_dns.php: DNS results printed without encoding, leading to an XSS

Associated revisions

History

#1 Updated by Jim Pingle over 4 years ago

#2 Updated by Jim Pingle over 4 years ago

#3 Updated by Jim Pingle about 4 years ago