FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

PowerDNS -- Insufficient validation in the HTTP remote backend

Affected packages
powerdns < 4.1.7

Details

VuXML ID 6001cfc6-9f0f-4fae-9b4f-9b8fae001425
Discovery 2019-03-18
Entry 2019-03-19

PowerDNS developers report:

An issue has been found in PowerDNS Authoritative Server when the HTTP remote backend is used in RESTful mode (without post=1 set), allowing a remote user to cause the HTTP backend to connect to an attacker-specified host instead of the configured one, via a crafted DNS query. This can be used to cause a denial of service by preventing the remote backend from getting a response, content spoofing if the attacker can time its own query so that subsequent queries will use an attacker-controlled HTTP server instead of the configured one, and possibly information disclosure if the Authoritative Server has access to internal servers.

References

CVE Name CVE-2019-3871
URL https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-03.html