Bug #16932
Updated by Jim Pingle about 4 hours ago
The pfBlockerNG Reports page (@pfblockerng_alerts.php@) parses various logs and displays the data to the user. The *DNS Reply* and *DNS Reply Stats* tabs parse data collected while the *DNSBL Mode* is set to *Unbound Python* mode with *DNS Reply Logging* enabled and then display this data to administrators without encoding. If an attacker controls DNS servers for a domain and can serve arbitrary TXT records, resolving a hostname through those servers while in this mode can lead to the reply text being shown to the administrator without encoding, leading to a potential for a stored XSS to occur. Reported By: Rob Reeves