XML external entity (XXE) vulnerability

[Sami32]

Media servers using the Cling library have recently been spotted has having a security issue:
https://www.exploit-db.com/exploits/45146/
https://www.exploit-db.com/exploits/45133/
https://www.exploit-db.com/exploits/45145/

The XML parser don't disable the inline DTDs parsing by default or do not provide a mean to disable it AFAIK.

[christianbauer]

I don't use or maintain Cling anymore. For this issue I would be willing to merge a pull request with a tested fix and do a new minor release. One of the many commercial users of Cling should have the budget to do this. I would assume the fix has to be done in https://github.com/4thline/seamless in the classes SAXParser and DOMParser.

Related: 4thline/seamless#9

[Sami32]

Thank you for answering and having informed us about this project status +1
Let's hope that some commercial projects will care for their customers security then.

I forgot to say that BubbleUPnP is probably the one exposing more users, with Plex.
https://www.facebook.com/MyCloudPlayer/posts/bubbleupnp-upnpdlnawhats-new-sharing-to-bubbleupnp-from-the-my-cloud-player-for-/623858287682093/

[Sami32]

@christianbauer I just get an answer from BubbleUPnP developer on their XDA forum saying that they will address this issue in their next update, so let's hope they will be open source minded and push their fix into your Seamless project.

[Sami32]

The security issue wasn't fixed:
UniversalMediaServer/UniversalMediaServer#1522 (comment)

So this issue should be re-opened.