Pi-hole Stored HTML Injection Vulnerability in Admin Interface Active Sessions Table

A stored HTML injection vulnerability has been identified in the Pi-hole Admin Interface, specifically in versions 6.0 and above. The issue resides in the active sessions table on the API settings page. This vulnerability allows an attacker with valid credentials to inject arbitrary HTML that will be rendered in the browser of any administrator who accesses the active sessions page. The flaw arises because the 'rowCallback' function directly concatenates the 'X-Forwarded-For' header value into an HTML string, which is then inserted into the DOM using jQuery's '.html()' method'. This method interprets the content as HTML, enabling the injection of HTML tags that will be parsed and displayed by the browser. Although Pi-hole's Content Security Policy blocks inline JavaScript, limiting the impact to HTML injection, the vulnerability could escalate to full Cross-Site Scripting in environments with a less restrictive CSP or if it is disabled.

Impact

Exploitation of this vulnerability allows for arbitrary HTML injection, which is rendered in the browsers of administrators visiting the active sessions page. This could be used for UI spoofing, CSS injection to hide malicious activity, internal phishing, or psychological manipulation. In less restrictive CSP configurations, this vulnerability could escalate to full Cross-Site Scripting, with severe consequences such as session hijacking or unauthorized modification of Pi-hole settings.

Reproduction

To reproduce this vulnerability, log into the Pi-hole Admin Interface and navigate to the API settings page. Use a tool like curl, wget, or Python requests to send a POST request to the '/api/auth' endpoint. Include an 'X-Forwarded-For' header with malicious HTML content, such as a bold tag styled with color. Once the request is sent and the session is established, the injected HTML will be displayed in the active sessions section.

Remediation

Users can update to Pi-hole version 6.4.1, which addresses this vulnerability by escaping the 'X-Forwarded-For' header value before it is inserted into the DOM.