PowerDNS Security Advisory 2017-05: Cross-Site Scripting in the web interface¶

• CVE: CVE-2017-15092

• Date: November 27th 2017

• Credit: Nixu, Chris Navarrete of Fortinet’s Fortiguard Labs

• Affects: PowerDNS Recursor from 4.0.0 up to and including 4.0.6

• Not affected: PowerDNS Recursor 4.0.7, 3.7.x

• Severity: Medium

• Impact: Alteration and denial of service of the web interface

• Exploit: This problem can be triggered by an attacker sending DNS queries to the server

• Risk of system compromise: No

• Solution: Upgrade to a non-affected version

An issue has been found in the web interface of PowerDNS Recursor, where the qname of DNS queries was displayed without any escaping, allowing a remote attacker to inject HTML and JavaScript code into the web interface, altering the content. This issue has been assigned CVE-2017-15092.

PowerDNS Recursor from 4.0.0 up to and including 4.0.6 are affected.

For those unable to upgrade to a new version, a minimal patch is available

We would like to thank Nixu and Chris Navarrete of Fortinet’s Fortiguard Labs for independently finding and reporting this issue.