php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #68052 unsanitized dns_get_record output
Submitted: 2014-09-19 10:00 UTC Modified: 2014-09-22 20:31 UTC
From: w at willsr dot com Assigned:
Status: Not a bug Package: Filter related
PHP Version: 5.4.33 OS: ALL
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: w at willsr dot com
New email:
PHP Version: OS:

 

 [2014-09-19 10:00 UTC] w at willsr dot com
Description:
------------
dns_get_record returns unsanitized output. Can be used for XSS injection via malicious TXT DNS records.

Test script:
---------------
$result = dns_get_record("jamiehankins.co.uk", DNS_TXT);
echo "Malicious TXT record = ";
print_r($result);

Expected result:
----------------
Malicious TXT record = Array
(
    [0] => Array
        (
            [host] => jamiehankins.co.uk
            [class] => IN
            [ttl] => 79
            [type] => TXT
            [txt] => <script src='//peniscorp.com/topkek.js'></script>
            [entries] => Array
                (
                    [0] => <script src='//peniscorp.com/topkek.js'></script>
                )

        )

    [1] => Array
        (
            [host] => jamiehankins.co.uk
            [class] => IN
            [ttl] => 79
            [type] => TXT
            [txt] => google-site-verification=nZUP4BagJAjQZO6AImXyzJZBXBf9s1FbDZr8pzNLTCI
            [entries] => Array
                (
                    [0] => google-site-verification=nZUP4BagJAjQZO6AImXyzJZBXBf9s1FbDZr8pzNLTCI
                )

        )

    [2] => Array
        (
            [host] => jamiehankins.co.uk
            [class] => IN
            [ttl] => 79
            [type] => TXT
            [txt] => <iframe width='420' height='315' src='//www.youtube.com/embed/dQw4w9WgXcQ?autoplay=0' frameborder='0' allowfullscreen></iframe>
            [entries] => Array
                (
                    [0] => <iframe width='420' height='315' src='//www.youtube.com/embed/dQw4w9WgXcQ?autoplay=0' frameborder='0' allowfullscreen></iframe>
                )

        )

    [3] => Array
        (
            [host] => jamiehankins.co.uk
            [class] => IN
            [ttl] => 79
            [type] => TXT
            [txt] => v=spf1 include:spf.mandrillapp.com ?all
            [entries] => Array
                (
                    [0] => v=spf1 include:spf.mandrillapp.com ?all
                )

        )

)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-09-19 12:34 UTC] johannes@php.net
-Status: Open +Status: Not a bug
 [2014-09-19 12:34 UTC] johannes@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

You can't trust any data coming from external sources. You have to escape it matching your requirements.
 [2014-09-22 09:40 UTC] pajoye@php.net
hi,

Thanks for the report.

Yes, this DNS XSS attack vector is being trendy in the last couple of weeks.

I do not think it is a PHP issue. Any external data must be filtered before being sent back to the user, stored in DB, etc. Nothing different here. And this applies to any language btw.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Tue Sep 27 14:05:52 2022 UTC