Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 6 Nov 2015 10:45:58 +0100
From: Pieter Lexis <pieter.lexis@...erdns.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: CVE request: stored XSS in PowerDNS < 3.4.7

Hi,

On 11/06/2015 10:07 AM, Damien Cauquil wrote:
> PowerDNS < 3.4.7 was prone to a stored XSS vulnerability, now fixed in
> version 3.4.7.
> 
> This commit by the PowerDNS team fixes it:
> 
> https://github.com/PowerDNS/pdns/commit/416d252
> 
> Could a CVE be assigned to this issue ?

This stored XSS was in a component (the built-in webserver) that
1) is disabled by default
2) should only be opened up on a non-public network (or with
   authentications in front)
3) serves a simple read-only webpage

To 'exploit' this XSS, someone with knowledge of the target's
infrastructure must send the target a malicious link (with the exploit
code embedded in the link). As this is built-in webpage is (should) only
accessible to the operators of the DNS server, the attack-surface for
this attack is very low.

We consider this XSS a very low risk vulnerability because of this and
suggest a CVE be not assigned.

-- 
Pieter Lexis
PowerDNS.COM BV - https://www.powerdns.com


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.