CVE-2025-34317
📋 TL;DR
This stored XSS vulnerability in IPFire allows authenticated attackers to inject malicious JavaScript through DNS configuration settings. When other users view the compromised DNS entries, the injected scripts execute in their browser context. This affects all IPFire installations running versions before 2.29 Core Update 198.
💻 Affected Systems
- IPFire
📦 What is this software?
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
Ipfire by Ipfire
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could steal administrator session cookies, perform actions as other users, or redirect users to malicious sites, potentially leading to full system compromise.
Likely Case
Attackers with authenticated access could steal session tokens or credentials from other users viewing DNS settings, enabling privilege escalation or lateral movement.
If Mitigated
With proper input validation and output encoding, the injected scripts would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Exploitation requires authenticated access to the web interface. The vulnerability is stored/persistent, affecting all users who view the compromised DNS entries.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: IPFire 2.29 Core Update 198
Vendor Advisory: https://www.ipfire.org/blog/ipfire-2-29-core-update-198-released
Restart Required: No
Instructions:
1. Log into IPFire web interface as admin. 2. Navigate to System > Updates. 3. Apply Core Update 198. 4. Verify update completion.
🔧 Temporary Workarounds
Input Validation Filter
allImplement custom input validation to reject special characters in TLS_HOSTNAME field
🧯 If You Can't Patch
- Restrict access to DNS configuration module to trusted administrators only
- Implement web application firewall rules to block XSS payloads in POST requests to /cgi-bin/dns.cgi
🔍 How to Verify
Check if Vulnerable:
Check IPFire version via web interface dashboard or SSH command: cat /etc/ipfire-releaseCheck Version:
cat /etc/ipfire-releaseVerify Fix Applied:
Verify version shows 2.29 or higher after applying Core Update 198📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /cgi-bin/dns.cgi with JavaScript payloads in TLS_HOSTNAME parameter
- Multiple failed authentication attempts followed by successful login and DNS modifications
Network Indicators:
- HTTP POST requests containing script tags or JavaScript functions in TLS_HOSTNAME parameter
SIEM Query:
source="ipfire_web_logs" AND uri_path="/cgi-bin/dns.cgi" AND (method="POST") AND (param="TLS_HOSTNAME") AND (value MATCHES "<script|javascript:|onload=|onerror=")