Pi-hole Admin Interface CRLF Injection Vulnerability Allowing Header Injection and Session Fixation

A Carriage Return Line Feed (CRLF) injection vulnerability has been identified in the Pi-hole Admin Interface, prior to version 6.3. This vulnerability allows for the injection of arbitrary HTTP response headers by exploiting a redirect mechanism that fails to properly sanitize input for files ending in the .lp extension. The injected headers can manipulate session cookies, leading to session fixation attacks, and disrupt browser security features like Content Security Policy and X-XSS-Protection. Additionally, this vulnerability could be exploited to perform HTTP response splitting, with potential consequences such as cache poisoning or injecting HTML and JavaScript into the response.

Impact

Exploitation of this vulnerability allows for full manipulation of HTTP response headers, which can disrupt normal application behavior and user sessions. The injection of malicious cookies can lead to session fixation attacks, allowing an attacker to hijack a user's session. The vulnerability also enables HTTP response splitting, injecting additional headers and content that can be interpreted as a second valid HTTP response, with severe impacts such as redirection attacks or cache poisoning.

Reproduction

To reproduce this vulnerability, send a request to a file with the .lp extension, injecting carriage return and line feed characters to manipulate the HTTP response headers. This can be done by entering the crafted URL into the browser's address bar. After the injection, the server will process the line breaks, allowing the addition of custom headers. For example, injecting a cookie through the Set-Cookie header can demonstrate a session fixation attack by forcing the browser to use a predefined session ID.

Remediation

Users are advised to update to Pi-hole Admin Interface version 6.3 or later, where this vulnerability has been fixed.