sql escaping in sqlite(3) backend failed

[Habbie]

Hi,

I just discovered a bug in the sqlite3 backend which leads to a SQL injection vulnerability.

I'm running a master nameserver and a slave which get's updated by axfr. I have a "<script>alert('xss')</script>" TXT-Record (for a POC of triggering XSS on website) and got this in the slaves log file:

May 4 13:03:22 deimos pdns[6192]: Communicator thread died because of error: Unable to compile SQLite statement : near "test": syntax error

Seems the content of the record does not get escaped properly.

Steps to reproduce:

• Given you have a master and a slave nameserver.
• Add a record with a ' (for example a TXT record) on the master nameserver.
• Start a zone transfer

I haven't yet tried to trigger it via a crafted DNS query, in that case the impact would be much bigger..

[Habbie]

Author: anon
A simple query isn't enough to trigger it, because it gets filtered as invalid before reaching the gsqlite3 backend:

May 4 15:25:10 phobos pdns[24178]: Received a malformed qdomain from 85.214.243.247, 'foo'bar.freigeist.org': sending servfail

Johannes 'fish' Ziemke

[Habbie]

Author: anon
btw: I'm running pdns from debian, package version: 2.9.22-8

-- Johannes 'fish' Ziemke

[Habbie]

Author: anon
Just tried to reproduce it with a recent 3.0 snapshot and it's already fixed there (see changeset [1342])