Bug #16763: Potential Stored XSS in ``diag_arp.php`` when using ISC DHCP - pfSense - pfSense bugtracker

Bug #16763

There is a potential stored XSS possible due to the way @diag_arp.php@ prints hostnames retrieved from the DHCP lease database when using the ISC DHCP backend. 

 A malicious DHCP client on a local network connected to an interface with ISC DHCP service active can send a specially-crafted hostname containing an XSS payload. The ISC DHCP daemon will accept that hostname and store it in the leases database. The @diag_arp.php@ page reads the DHCP lease database when resolving hostnames to display on the page, and it prints those hostnames without encoding. 

 This does not affect the Kea DHCP backend as it properly cleans up the hostname of any invalid characters before storing the value, rendering it inert.

Back

Project

General

Profile

pfSense

Bug #16763