An issue has been found in PowerDNS Recursor prior to 4.3.2 where the ACL applied to the internal web server via `webserver-allow-from` is not properly enforced, allowing a remote malicious user to send HTTP queries to the internal web server, bypassing the restriction. Note that the web server is not enabled by default. Only installations using a non-default value for `webserver` and `webserver-address` are affected. Workarounds are: disable the webserver or set a password or an API key. Additionally, restrict the binding address using the `webserver-address` setting to local addresses only and/or use a firewall to disallow web requests from untrusted sources reaching the webserver listening address.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
powerdns recursor |