A cross-site scripting issue has been found in the web interface of PowerDNS Recursor from 4.0.0 up to and including 4.0.6, where the qname of DNS queries was displayed without any escaping, allowing a remote malicious user to inject HTML and Javascript code into the web interface, altering the content.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
powerdns recursor |
PowerDNS admins, feel free to fix these DNSSEC bugs before something nasty happens
Open source DNS software vendor PowerDNS has advised users to patch its "Authoritative" and "Recursor" products, to squish five bugs disclosed today. None of the bugs pose a risk that PowerDNS might itself be compromised, but this is the DNS: what an attacker can do is fool around with DNS records in various ways. That can be catastrophic if done right: for example, if a network is tricked into advertising itself as the whole of the Internet, it can be hosed, or if the wrong network promises it'...