funzoneq / freshdns

FreshDNS AJAX based, PowerDNS administration system
GNU General Public License v2.0
9 stars 8 forks source link

XSRF vulnerability #7

Open luelista opened 6 years ago

luelista commented 6 years ago

I noticed that FreshDNS is vulnerable to Cross-Site Request Forgery, allowing an attacker to e.g. delete all zones on your server if they can get you to load a website containing their javascript while you're logged in to FreshDNS in the same browser. It is fixed (hopefully) in my merge request #6

AngeliqueDawnbringer commented 6 years ago

Will test for this when I have time. Going through the code as we speak to see if I can find anything "weird". I will push some "dirty" fixes like the auto-md5 to sha1/sha512 and make sure those are pushed to this as well. I'll also add all the DNSSEC related information etc. when I find some spare time.