New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS vulnerability in dnsdist webserver #3217

Closed
janeczku opened this Issue Jan 11, 2016 · 0 comments

Comments

Projects
None yet
2 participants
@janeczku

janeczku commented Jan 11, 2016

Steps to reproduce

  1. Start a dnsdist instance
  2. Enable the webserver: webserver("127.0.0.1:8083", "supersecret")
  3. Navigate to this URL:
    http://127.0.0.1:8083/?callback=%22%3E%3Cscript/src=data:,alert("evilcorp()")%26sol;%26sol;

Expected result
The callback query string is sanitized.
Actual result
The Javascript submitted with the callback parameter is injected in the resulting page and executed in the users browser.

@pieterlexis pieterlexis added this to the dnsdist-1-alpha2 milestone Jan 11, 2016

rgacogne added a commit to rgacogne/pdns that referenced this issue Jan 12, 2016

dnsdist: Remove jsonp callback, add security HTTP headers
- Remove the jsonp callback, using simple json data instead (Fixes PowerDNS#3217)
We might need to add CORS if we want to be able to retrieve JSON
data from a webpage not stored on the embedded web server.
- Add several HTTP headers:
 * X-Content-Type-Options: no-sniff to prevent browsers from guessing MIME type
 * X-Frame-Options: deny to prevent clickjacking
 * X-Permitted-Cross-Domain-Policies: none to keep flash from crossing boundaries
 * X-XSS-Protection: 1; mode=block to mitigate XSS
 * Content-Security-Policy: default-src 'self'; img-src *; style-src 'self' 'unsafe-inline',
 a basic CSP policy to restrict which scripts and CSS can be loaded

rgacogne added a commit to rgacogne/pdns that referenced this issue Jan 14, 2016

dnsdist: Remove jsonp callback, add security HTTP headers
- Remove the jsonp callback, using simple json data instead (Fixes PowerDNS#3217)
We might need to add CORS if we want to be able to retrieve JSON
data from a webpage not stored on the embedded web server.
- Add several HTTP headers:
 * X-Content-Type-Options: no-sniff to prevent browsers from guessing MIME type
 * X-Frame-Options: deny to prevent clickjacking
 * X-Permitted-Cross-Domain-Policies: none to keep flash from crossing boundaries
 * X-XSS-Protection: 1; mode=block to mitigate XSS
 * Content-Security-Policy: default-src 'self'; img-src *; style-src 'self' 'unsafe-inline',
 a basic CSP policy to restrict which scripts and CSS can be loaded
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment