Pi-hole Admin Interface Reflected DOM-Based Cross-Site Scripting Vulnerability

A reflected DOM-based cross-site scripting vulnerability has been identified in the Pi-hole Admin Interface versions 6.0 prior to 6.5. This vulnerability allows an unauthenticated attacker to inject arbitrary HTML into the admin interface by crafting a malicious URL. The issue arises in 'taillog.js', where the 'file' query parameter is inserted into the DOM via 'innerHTML' without proper escaping. The absence of a 'form-action' directive in the Content-Security-Policy (CSP) enables injected forms to exfiltrate credentials to an external origin. This vulnerability is patched in Pi-hole version 6.5.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting and HTML injection, creating a vector for credential phishing. Any authenticated Pi-hole administrator who interacts with a crafted link is at risk. The missing 'form-action' CSP directive facilitates credential theft through injected forms, while the 'meta refresh' injection enables open redirects. Successful exploitation could lead to the theft of the admin password, allowing unauthorized changes to DNS configurations.

Reproduction

To reproduce this vulnerability, log into the Pi-hole Admin Interface and navigate to the 'taillog' feature. Once there, inject a malicious 'file' query parameter that bypasses the allowlist check. The injected HTML will render in the admin interface, demonstrating the cross-site scripting vulnerability. To exploit the missing 'form-action' CSP directive, craft a 'file' parameter that includes a form element designed to capture and send credentials to an external site. This form will be displayed as an overlay, mimicking a legitimate login prompt and tricking the user into entering their password.

Remediation

Users can update to Pi-hole version 6.5, which addresses this vulnerability.