Summary
In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on queryads endpoint
Details
Access control, sometimes called authorization, is how a web application grants access to content and functions to some users and not others. These checks are performed after authentication and govern what ‘authorized’ users are allowed to do. Access control sounds like a simple problem but is insidiously difficult to implement correctly. A web application’s access control model is closely tied to the content and functions that the site provides. In addition, the users may fall into a number of groups or roles with different abilities or privileges.
Threat actors can craft special forged requests to obtain users’ data. This vulnerability affects the user's private blacklist of blocked domains.
In the case of application, this vulnerability exists because of a lack of validation in code on a root server path:
/admin/scripts/pi-hole/phpqueryads.php
PoC
- Open the link in the browser using this template:
http://<IP>/admin/scripts/pi-hole/php/queryads.php?domain=kvi1to
Where IP is the IP address of the pihole, and kv1to is a search query
In the downloaded file:
Or with a curl request in the terminal:
curl 'http://pi.hole/admin/scripts/pi-hole/php/queryads.php?domain=kv1to'
Impact
There are companies that are selling their on-rolling updated blacklist as a service for the customers.
Threat Actor is able to perform an unauthorized query search in blocked domain lists. This could lead to the disclosure for any victims' personal blacklists.
This is one of the most valuable features of a pihole - data privacy, and this vulnerability could break it up.
sopwnd Reporter
Summary
In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on
queryadsendpointDetails
Access control, sometimes called authorization, is how a web application grants access to content and functions to some users and not others. These checks are performed after authentication and govern what ‘authorized’ users are allowed to do. Access control sounds like a simple problem but is insidiously difficult to implement correctly. A web application’s access control model is closely tied to the content and functions that the site provides. In addition, the users may fall into a number of groups or roles with different abilities or privileges.
Threat actors can craft special forged requests to obtain users’ data. This vulnerability affects the user's private blacklist of blocked domains.
In the case of application, this vulnerability exists because of a lack of validation in code on a root server path:
/admin/scripts/pi-hole/phpqueryads.phpPoC
http://<IP>/admin/scripts/pi-hole/php/queryads.php?domain=kvi1toWhere IP is the IP address of the pihole, and
kv1tois a search queryIn the downloaded file:
Or with a curl request in the terminal:
curl 'http://pi.hole/admin/scripts/pi-hole/php/queryads.php?domain=kv1to'Impact
There are companies that are selling their on-rolling updated blacklist as a service for the customers.
Threat Actor is able to perform an unauthorized query search in blocked domain lists. This could lead to the disclosure for any victims' personal blacklists.
This is one of the most valuable features of a pihole - data privacy, and this vulnerability could break it up.