A network-wide ad-blocking tool with the capability to execute arbitrary commands.
Executive Summary
Path Traversal to RCE via teleporter.php and zip_file Parameter:
The teleporter.php script in Pi-hole and zip_file parameter, which handles the import and export of settings, contains a vulnerability in its file upload functionality.
The application does not adequately validate the contents and name of the uploaded zip file. An attacker can craft a malicious zip file that, when processed by teleporter.php, can exploit path traversal to overwrite sensitive files or add malicious scripts. This, in turn, can lead to Remote Code Execution (RCE), allowing the attacker to run arbitrary commands on the server hosting the Pi-hole instance.
Cross-Site Scripting (XSS) via groups.php and address Parameter:
The groups.php script and address parameter in Pi-hole contains a Cross-Site Scripting (XSS) vulnerability, which allows the injection of malicious scripts into the web page.
The application fails to adequately sanitize and escape the address parameter’s value in the groups.php script. As a result, an attacker can embed malicious JavaScript code as the parameter’s value. When a user visits a crafted link or the manipulated page, the embedded script executes within their browser context, potentially leading to data theft, session hijacking, or other malicious activities.
