New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XML external entity (XXE) vulnerability #243

Closed
Sami32 opened this Issue Sep 20, 2018 · 3 comments

Comments

Projects
None yet
2 participants
@Sami32

Sami32 commented Sep 20, 2018

Media servers using the Cling library have recently been spotted has having a security issue:
https://www.exploit-db.com/exploits/45146/
https://www.exploit-db.com/exploits/45133/
https://www.exploit-db.com/exploits/45145/

The XML parser don't disable the inline DTDs parsing by default or do not provide a mean to disable it AFAIK.

@christianbauer

This comment has been minimized.

Show comment
Hide comment
@christianbauer

christianbauer Sep 24, 2018

Member

I don't use or maintain Cling anymore. For this issue I would be willing to merge a pull request with a tested fix and do a new minor release. One of the many commercial users of Cling should have the budget to do this. I would assume the fix has to be done in https://github.com/4thline/seamless in the classes SAXParser and DOMParser.

Related: 4thline/seamless#9

Member

christianbauer commented Sep 24, 2018

I don't use or maintain Cling anymore. For this issue I would be willing to merge a pull request with a tested fix and do a new minor release. One of the many commercial users of Cling should have the budget to do this. I would assume the fix has to be done in https://github.com/4thline/seamless in the classes SAXParser and DOMParser.

Related: 4thline/seamless#9

@Sami32

This comment has been minimized.

Show comment
Hide comment
@Sami32

Sami32 Sep 24, 2018

Thank you for answering and having informed us about this project status +1
Let's hope that some commercial projects will care for their customers security then.

I forgot to say that BubbleUPnP is probably the one exposing more users, with Plex.
https://www.facebook.com/MyCloudPlayer/posts/bubbleupnp-upnpdlnawhats-new-sharing-to-bubbleupnp-from-the-my-cloud-player-for-/623858287682093/

Sami32 commented Sep 24, 2018

Thank you for answering and having informed us about this project status +1
Let's hope that some commercial projects will care for their customers security then.

I forgot to say that BubbleUPnP is probably the one exposing more users, with Plex.
https://www.facebook.com/MyCloudPlayer/posts/bubbleupnp-upnpdlnawhats-new-sharing-to-bubbleupnp-from-the-my-cloud-player-for-/623858287682093/

@Sami32

This comment has been minimized.

Show comment
Hide comment
@Sami32

Sami32 Sep 25, 2018

@christianbauer I just get an answer from BubbleUPnP developer on their XDA forum saying that they will address this issue in their next update, so let's hope they will be open source minded and push their fix into your Seamless project.

Sami32 commented Sep 25, 2018

@christianbauer I just get an answer from BubbleUPnP developer on their XDA forum saying that they will address this issue in their next update, so let's hope they will be open source minded and push their fix into your Seamless project.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment