Pi-hole Admin Interface Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Pi-hole Admin Interface versions 6.0 prior to 6.5. The issue arises because client hostnames and IP addresses from the FTL database are rendered into the DOM without proper escaping. This flaw is present in the Network page's 'network.js' and in the Dashboard chart tooltips within 'charts.js' and 'index.js'. While upstream validation in dnsmasq and FTL typically blocks HTML characters through standard DHCP and DNS paths, the web interface fails to escape output in these specific JavaScript files, creating an inconsistency with other fields that are properly sanitized. Exploitation of this vulnerability requires direct access to the filesystem to manipulate the FTL database or the DHCP lease file, as the web UI's lack of escaping allows injected HTML to be executed.

Impact

Exploitation leads to stored cross-site scripting, where injected HTML is executed in the context of the user viewing the affected Pi-hole Admin Interface pages.

Reproduction

To reproduce this vulnerability, first inject a malicious hostname into the FTL database, bypassing the normal validation. This can be done by directly manipulating the database or through DHCP lease file tampering. Once the malicious hostname is inserted, navigate to the Network page or the Dashboard. The injected HTML will be rendered without escaping, demonstrating the cross-site scripting vulnerability.

Remediation

Users can update to Pi-hole Admin Interface version 6.5, which addresses this vulnerability by implementing the necessary output escaping.