Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 6 Nov 2015 10:45:58 +0100
From: Pieter Lexis <pieter.lexis@...erdns.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: CVE request: stored XSS in PowerDNS < 3.4.7

Hi,

On 11/06/2015 10:07 AM, Damien Cauquil wrote:
> PowerDNS < 3.4.7 was prone to a stored XSS vulnerability, now fixed in
> version 3.4.7.
> 
> This commit by the PowerDNS team fixes it:
> 
> https://github.com/PowerDNS/pdns/commit/416d252
> 
> Could a CVE be assigned to this issue ?

This stored XSS was in a component (the built-in webserver) that
1) is disabled by default
2) should only be opened up on a non-public network (or with
   authentications in front)
3) serves a simple read-only webpage

To 'exploit' this XSS, someone with knowledge of the target's
infrastructure must send the target a malicious link (with the exploit
code embedded in the link). As this is built-in webpage is (should) only
accessible to the operators of the DNS server, the attack-surface for
this attack is very low.

We consider this XSS a very low risk vulnerability because of this and
suggest a CVE be not assigned.

-- 
Pieter Lexis
PowerDNS.COM BV - https://www.powerdns.com


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ