An issue has been found in the API of PowerDNS Recursor < 4.0.7, during a source code audit by Nixu. When 'api-config-dir' is set to a non-empty value, which is not the case by default, the API allows an authorized user to update the Recursor’s ACL by adding and removing netmasks, and to configure forward zones. It was discovered that the new netmask and IP addresses of forwarded zones were not sufficiently validated, allowing an authenticated user to inject new configuration directives into the Recursor’s configuration.
An issue has been found in the API of PowerDNS Recursor < 4.0.7, during a source code audit by Nixu. When 'api-config-dir' is set to a non-empty value, which is not the case by default, the API allows an authorized user to update the Recursor’s ACL by adding and removing netmasks, and to configure forward zones. It was discovered that the new netmask and IP addresses of forwarded zones were not sufficiently validated, allowing an authenticated user to inject new configuration directives into the Recursor’s configuration.
https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-06.html https://github.com/PowerDNS/pdns/commit/badf9e8900428f21585f7f929aeddc87cd0d2069
Disable the ability to alter the configuration via the API by setting 'api-config-dir' to an empty value (default), or set the API read-only via the 'api-readonly' setting.
Vulmon