Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS vulnerability in dnsdist webserver #3217

Closed
janeczku opened this issue Jan 11, 2016 · 0 comments
Closed

XSS vulnerability in dnsdist webserver #3217

janeczku opened this issue Jan 11, 2016 · 0 comments
Labels
defect dnsdist
Milestone
dnsdist-1-alpha2

Comments

@janeczku
Copy link

Steps to reproduce

  1. Start a dnsdist instance
  2. Enable the webserver: webserver("127.0.0.1:8083", "supersecret")
  3. Navigate to this URL:
    http://127.0.0.1:8083/?callback=%22%3E%3Cscript/src=data:,alert("evilcorp()")%26sol;%26sol;

Expected result
The callback query string is sanitized.
Actual result
The Javascript submitted with the callback parameter is injected in the resulting page and executed in the users browser.
@pieterlexis pieterlexis added this to the dnsdist-1-alpha2 milestone Jan 11, 2016
rgacogne added a commit to rgacogne/pdns that referenced this issue Jan 12, 2016
@rgacogne
dnsdist: Remove jsonp callback, add security HTTP headers
a057d0b 
- Remove the jsonp callback, using simple json data instead (Fixes PowerDNS#3217)
We might need to add CORS if we want to be able to retrieve JSON
data from a webpage not stored on the embedded web server.
- Add several HTTP headers:
 * X-Content-Type-Options: no-sniff to prevent browsers from guessing MIME type
 * X-Frame-Options: deny to prevent clickjacking
 * X-Permitted-Cross-Domain-Policies: none to keep flash from crossing boundaries
 * X-XSS-Protection: 1; mode=block to mitigate XSS
 * Content-Security-Policy: default-src 'self'; img-src *; style-src 'self' 'unsafe-inline',
 a basic CSP policy to restrict which scripts and CSS can be loaded
@rgacogne rgacogne mentioned this issue Jan 12, 2016
Merged
rgacogne added a commit to rgacogne/pdns that referenced this issue Jan 14, 2016
@rgacogne
dnsdist: Remove jsonp callback, add security HTTP headers
ed5d8c7 
- Remove the jsonp callback, using simple json data instead (Fixes PowerDNS#3217)
We might need to add CORS if we want to be able to retrieve JSON
data from a webpage not stored on the embedded web server.
- Add several HTTP headers:
 * X-Content-Type-Options: no-sniff to prevent browsers from guessing MIME type
 * X-Frame-Options: deny to prevent clickjacking
 * X-Permitted-Cross-Domain-Policies: none to keep flash from crossing boundaries
 * X-XSS-Protection: 1; mode=block to mitigate XSS
 * Content-Security-Policy: default-src 'self'; img-src *; style-src 'self' 'unsafe-inline',
 a basic CSP policy to restrict which scripts and CSS can be loaded
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
defect dnsdist
Projects
None yet
Milestone
dnsdist-1-alpha2
Development

No branches or pull requests
2 participants
@pieterlexis @janeczku