XSS vulnerability in dnsdist webserver #3217

Closed
janeczku opened this Issue Jan 11, 2016 · 0 comments

Projects

None yet

2 participants

@janeczku

Steps to reproduce

  1. Start a dnsdist instance
  2. Enable the webserver: webserver("127.0.0.1:8083", "supersecret")
  3. Navigate to this URL:
    http://127.0.0.1:8083/?callback=%22%3E%3Cscript/src=data:,alert("evilcorp()")%26sol;%26sol;

Expected result
The callback query string is sanitized.
Actual result
The Javascript submitted with the callback parameter is injected in the resulting page and executed in the users browser.

@pieterlexis pieterlexis added this to the dnsdist-1-alpha2 milestone Jan 11, 2016
@rgacogne rgacogne added a commit to rgacogne/pdns that referenced this issue Jan 12, 2016
@rgacogne rgacogne dnsdist: Remove jsonp callback, add security HTTP headers
- Remove the jsonp callback, using simple json data instead (Fixes #3217)
We might need to add CORS if we want to be able to retrieve JSON
data from a webpage not stored on the embedded web server.
- Add several HTTP headers:
 * X-Content-Type-Options: no-sniff to prevent browsers from guessing MIME type
 * X-Frame-Options: deny to prevent clickjacking
 * X-Permitted-Cross-Domain-Policies: none to keep flash from crossing boundaries
 * X-XSS-Protection: 1; mode=block to mitigate XSS
 * Content-Security-Policy: default-src 'self'; img-src *; style-src 'self' 'unsafe-inline',
 a basic CSP policy to restrict which scripts and CSS can be loaded
a057d0b
@rgacogne rgacogne added a commit to rgacogne/pdns that referenced this issue Jan 14, 2016
@rgacogne @rgacogne rgacogne + rgacogne dnsdist: Remove jsonp callback, add security HTTP headers
- Remove the jsonp callback, using simple json data instead (Fixes #3217)
We might need to add CORS if we want to be able to retrieve JSON
data from a webpage not stored on the embedded web server.
- Add several HTTP headers:
 * X-Content-Type-Options: no-sniff to prevent browsers from guessing MIME type
 * X-Frame-Options: deny to prevent clickjacking
 * X-Permitted-Cross-Domain-Policies: none to keep flash from crossing boundaries
 * X-XSS-Protection: 1; mode=block to mitigate XSS
 * Content-Security-Policy: default-src 'self'; img-src *; style-src 'self' 'unsafe-inline',
 a basic CSP policy to restrict which scripts and CSS can be loaded
ed5d8c7
@ahupowerdns ahupowerdns closed this in #3219 Jan 14, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment