The server part of pupnp (libupnp) appears to be vulnerable to DNS-rebinding
attacks because it does not check the value of the Host
header.
Impact
A remote web server can exploit this vulnerability to trick the user
browser into triggering actions on the local UPnP services
implemented using this library. Depending on the affected service, this could be used for data exfitlration, data tempering, etc.
For example, this can be used to exfiltrate the content
of the media files exposed by a UPnP AV MediaServer server.
Moreover, it should be possible to delete or upload files
if this is enabled in the server configuration.
Patches
This will be fixed in 1.14.6 and later.
Workarounds
This can be mitigated by using DNS revolvers which block DNS-rebinding attacks.
For more information
If you have any questions or comments about this advisory email us at pupnp.github@gmail.com with the word security
in the subject.
The server part of pupnp (libupnp) appears to be vulnerable to DNS-rebinding
attacks because it does not check the value of the
Host
header.Impact
A remote web server can exploit this vulnerability to trick the user
browser into triggering actions on the local UPnP services
implemented using this library. Depending on the affected service, this could be used for data exfitlration, data tempering, etc.
For example, this can be used to exfiltrate the content
of the media files exposed by a UPnP AV MediaServer server.
Moreover, it should be possible to delete or upload files
if this is enabled in the server configuration.
Patches
This will be fixed in 1.14.6 and later.
Workarounds
This can be mitigated by using DNS revolvers which block DNS-rebinding attacks.
For more information
If you have any questions or comments about this advisory email us at pupnp.github@gmail.com with the word
security
in the subject.