Bug #6737: diag_dns.php: DNS results printed without encoding, leading to an XSS - pfSense - pfSense bugtracker

Actions

Copy link

Bug #6737

closed

diag_dns.php: DNS results printed without encoding, leading to an XSS

Added by Jim Pingle over 5 years ago. Updated almost 5 years ago.

Status:

Resolved

Priority:

High

Assignee:

Jim Pingle

Category:

Web Interface

Target version:

2.3.2-p1

Start date:

08/22/2016

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

All

Affected Architecture:

All

Description

There is a potential XSS in diag_dns.php from a lack of encoding on the DNS replies.

If a query is entered for xss.uparo.com, a script alert is shown.

Actions

Copy link

Updated by Jim Pingle over 5 years ago

Status changed from Assigned to Feedback
% Done changed from 0 to 100

Applied in changeset d2466ce6f5f45300ebeccea93ef4b7c35f8e1f02.

Actions

Copy link

Updated by Jim Pingle about 5 years ago

Status changed from Feedback to Resolved

Actions

Copy link

Updated by Jim Pingle almost 5 years ago

Private changed from Yes to No

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #6737

diag_dns.php: DNS results printed without encoding, leading to an XSS

Updated by Jim Pingle over 5 years ago

Updated by Jim Pingle about 5 years ago

Updated by Jim Pingle almost 5 years ago