Pi-hole Admin Interface HTML Attribute Injection Vulnerability

A stored HTML attribute injection vulnerability has been identified in the Pi-hole Admin Interface versions 6.0 prior to 6.5. The issue arises because configuration values from the /api/config endpoint are inserted directly into HTML value attributes without proper escaping, particularly in settings-advanced.js. This flaw allows a double quote in any config value to break out of the attribute context, enabling the injection of arbitrary HTML attributes. While the server's Content Security Policy (CSP) blocks JavaScript execution, the injected attributes can be used to manipulate element styling, potentially leading to UI redressing. The vulnerability can be exploited by importing a malicious teleporter backup, which bypasses server-side validation for individual fields.

Impact

Exploitation of this vulnerability leads to stored HTML attribute injection. Authenticated Pi-hole administrators who import a malicious teleporter backup and then view the 'All settings' page will be affected. The injected attributes can alter the styling of elements, creating a redressing effect, and may also change the behavior of forms by manipulating attributes like formaction.

Reproduction

To reproduce this vulnerability, export a backup from the Pi-hole Admin Interface and modify the extracted pihole.toml file to include a crafted value that exploits the injection flaw. Repackage the backup, import it through the Pi-hole Admin Interface, and then navigate to the 'All settings' page to observe the injected attributes in action. Alternatively, the vulnerability can be reproduced by directly patching the /api/config endpoint with an unvalidated config value that includes a double quote, bypassing the need for a teleporter backup.

Remediation

Users can update to Pi-hole Admin Interface version 6.5 or later to address this vulnerability.