Pi-hole Admin Interface Stored HTML Injection Vulnerability in DNS Records Management

A stored HTML injection vulnerability has been identified in the Pi-hole Admin Interface, specifically in versions through 6.4. This issue allows authenticated administrators to inject arbitrary HTML into the local DNS records configuration page. The injected code is saved in the Pi-hole configuration and rendered each time the DNS records table is accessed. The vulnerability arises because the 'populateDataTable()' function directly inserts user-entered DNS record values into the 'data-tag' HTML attribute without proper escaping or sanitization. Although Pi-hole's Content Security Policy (CSP) blocks inline JavaScript, limiting the impact to HTML injection, this vulnerability could escalate to stored Cross-Site Scripting (XSS) in environments with a less restrictive CSP.

Impact

Exploitation allows for the injection of HTML attributes into DNS records table buttons, with potential impacts including UI spoofing, manipulation of tooltips, alteration of accessibility attributes, and partial defacement of the admin interface. In less restrictive CSP environments, this could escalate to stored XSS, enabling JavaScript execution and full control over the administrator's account.

Reproduction

To reproduce this vulnerability, log into the Pi-hole Admin Interface and navigate to 'Settings' > 'Local DNS Records'. Enter a payload containing double quotes and HTML attributes into the 'Domain' field, along with any value in the 'Target' field. After clicking 'Add', the injected HTML will be executed, demonstrating the vulnerability.

Remediation

Users can update to Pi-hole Admin Interface version 6.4.1, which addresses this vulnerability by sanitizing the data before it is inserted into the HTML.