php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #68052 unsanitized dns_get_record output
Submitted: 2014-09-19 10:00 UTC Modified: 2014-09-22 20:31 UTC
From: w at willsr dot com Assigned:
Status: Not a bug Package: Filter related
PHP Version: 5.4.33 OS: ALL
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
48 + 11 = ?
Subscribe to this entry?

 
 [2014-09-19 10:00 UTC] w at willsr dot com
Description:
------------
dns_get_record returns unsanitized output. Can be used for XSS injection via malicious TXT DNS records.

Test script:
---------------
$result = dns_get_record("jamiehankins.co.uk", DNS_TXT);
echo "Malicious TXT record = ";
print_r($result);

Expected result:
----------------
Malicious TXT record = Array
(
    [0] => Array
        (
            [host] => jamiehankins.co.uk
            [class] => IN
            [ttl] => 79
            [type] => TXT
            [txt] => <script src='//peniscorp.com/topkek.js'></script>
            [entries] => Array
                (
                    [0] => <script src='//peniscorp.com/topkek.js'></script>
                )

        )

    [1] => Array
        (
            [host] => jamiehankins.co.uk
            [class] => IN
            [ttl] => 79
            [type] => TXT
            [txt] => google-site-verification=nZUP4BagJAjQZO6AImXyzJZBXBf9s1FbDZr8pzNLTCI
            [entries] => Array
                (
                    [0] => google-site-verification=nZUP4BagJAjQZO6AImXyzJZBXBf9s1FbDZr8pzNLTCI
                )

        )

    [2] => Array
        (
            [host] => jamiehankins.co.uk
            [class] => IN
            [ttl] => 79
            [type] => TXT
            [txt] => <iframe width='420' height='315' src='//www.youtube.com/embed/dQw4w9WgXcQ?autoplay=0' frameborder='0' allowfullscreen></iframe>
            [entries] => Array
                (
                    [0] => <iframe width='420' height='315' src='//www.youtube.com/embed/dQw4w9WgXcQ?autoplay=0' frameborder='0' allowfullscreen></iframe>
                )

        )

    [3] => Array
        (
            [host] => jamiehankins.co.uk
            [class] => IN
            [ttl] => 79
            [type] => TXT
            [txt] => v=spf1 include:spf.mandrillapp.com ?all
            [entries] => Array
                (
                    [0] => v=spf1 include:spf.mandrillapp.com ?all
                )

        )

)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-09-19 12:34 UTC] johannes@php.net
-Status: Open +Status: Not a bug
 [2014-09-19 12:34 UTC] johannes@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

You can't trust any data coming from external sources. You have to escape it matching your requirements.
 [2014-09-22 09:40 UTC] pajoye@php.net
hi,

Thanks for the report.

Yes, this DNS XSS attack vector is being trendy in the last couple of weeks.

I do not think it is a PHP issue. Any external data must be filtered before being sent back to the user, stored in DB, etc. Nothing different here. And this applies to any language btw.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Mon Dec 05 02:05:52 2022 UTC