php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #68052 unsanitized dns_get_record output
Submitted: 2014-09-19 10:00 UTC Modified: 2014-09-22 20:31 UTC
From: w at willsr dot com Assigned:
Status: Not a bug Package: Filter related
PHP Version: 5.4.33 OS: ALL
Private report: No CVE-ID: None
 [2014-09-19 10:00 UTC] w at willsr dot com
Description:
------------
dns_get_record returns unsanitized output. Can be used for XSS injection via malicious TXT DNS records.

Test script:
---------------
$result = dns_get_record("jamiehankins.co.uk", DNS_TXT);
echo "Malicious TXT record = ";
print_r($result);

Expected result:
----------------
Malicious TXT record = Array
(
    [0] => Array
        (
            [host] => jamiehankins.co.uk
            [class] => IN
            [ttl] => 79
            [type] => TXT
            [txt] => <script src='//peniscorp.com/topkek.js'></script>
            [entries] => Array
                (
                    [0] => <script src='//peniscorp.com/topkek.js'></script>
                )

        )

    [1] => Array
        (
            [host] => jamiehankins.co.uk
            [class] => IN
            [ttl] => 79
            [type] => TXT
            [txt] => google-site-verification=nZUP4BagJAjQZO6AImXyzJZBXBf9s1FbDZr8pzNLTCI
            [entries] => Array
                (
                    [0] => google-site-verification=nZUP4BagJAjQZO6AImXyzJZBXBf9s1FbDZr8pzNLTCI
                )

        )

    [2] => Array
        (
            [host] => jamiehankins.co.uk
            [class] => IN
            [ttl] => 79
            [type] => TXT
            [txt] => <iframe width='420' height='315' src='//www.youtube.com/embed/dQw4w9WgXcQ?autoplay=0' frameborder='0' allowfullscreen></iframe>
            [entries] => Array
                (
                    [0] => <iframe width='420' height='315' src='//www.youtube.com/embed/dQw4w9WgXcQ?autoplay=0' frameborder='0' allowfullscreen></iframe>
                )

        )

    [3] => Array
        (
            [host] => jamiehankins.co.uk
            [class] => IN
            [ttl] => 79
            [type] => TXT
            [txt] => v=spf1 include:spf.mandrillapp.com ?all
            [entries] => Array
                (
                    [0] => v=spf1 include:spf.mandrillapp.com ?all
                )

        )

)


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-09-19 12:34 UTC] johannes@php.net
-Status: Open +Status: Not a bug
 [2014-09-19 12:34 UTC] johannes@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

You can't trust any data coming from external sources. You have to escape it matching your requirements.
 [2014-09-22 09:40 UTC] pajoye@php.net
hi,

Thanks for the report.

Yes, this DNS XSS attack vector is being trendy in the last couple of weeks.

I do not think it is a PHP issue. Any external data must be filtered before being sent back to the user, stored in DB, etc. Nothing different here. And this applies to any language btw.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 14 07:01:27 2024 UTC