Project

General

Profile

Bug #16932

Updated by Jim Pingle about 4 hours ago

The pfBlockerNG Reports page (@pfblockerng_alerts.php@) parses various logs and displays the data to the user. The *DNS Reply* and *DNS Reply Stats* tabs parse data collected while the *DNSBL Mode* is set to *Unbound Python* mode with *DNS Reply Logging* enabled and then display this data to administrators without encoding. 

 If an attacker controls DNS servers for a domain and can serve arbitrary TXT records, resolving a hostname through those servers while in this mode can lead to the reply text being shown to the administrator without encoding, leading to a potential for a stored XSS to occur. 

 Reported By: Rob Reeves 

Back