[security][CVE-2019-16935] A reflected XSS in python/Lib/DocXMLRPCServer.py

[lwzSoviet]

BPO	38243
Nosy	@vstinner, @larryhastings, @ned-deily, @JulienPalard, @corona10, @miss-islington, @tirkarthi, @lwzSoviet
PRs	bpo-38243: Escape the server_title of DocXMLRPCServer when rendering #16373 [3.8] bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) #16439 [3.7] bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) #16440 [3.6] bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) #16441 [2.7] bpo-38243: Escape the server title of DocXMLRPCServer #16447 [3.5] bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) (GH-16441) #16516
Files	poc.py

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2019-10-29.05:43:00.681>
created_at = <Date 2019-09-21.02:17:30.141>
labels = ['type-security', '3.8', '3.7', 'library', '3.9']
title = '[security][CVE-2019-16935] A reflected XSS in python/Lib/DocXMLRPCServer.py'
updated_at = <Date 2020-03-23.14:58:02.727>
user = 'https://github.com/lwzSoviet'

bugs.python.org fields:

activity = <Date 2020-03-23.14:58:02.727>
actor = 'vstinner'
assignee = 'none'
closed = True
closed_date = <Date 2019-10-29.05:43:00.681>
closer = 'larry'
components = ['Library (Lib)']
creation = <Date 2019-09-21.02:17:30.141>
creator = 'longwenzhang'
dependencies = []
files = ['48619']
hgrepos = []
issue_num = 38243
keywords = ['patch', 'security_issue']
message_count = 19.0
messages = ['352921', '352922', '353132', '353140', '353169', '353170', '353301', '353395', '353403', '353404', '353407', '353418', '353440', '353668', '353677', '353689', '355614', '361819', '364855']
nosy_count = 8.0
nosy_names = ['vstinner', 'larry', 'ned.deily', 'mdk', 'corona10', 'miss-islington', 'xtreak', 'longwenzhang']
pr_nums = ['16373', '16439', '16440', '16441', '16447', '16516']
priority = 'high'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue38243'
versions = ['Python 2.7', 'Python 3.5', 'Python 3.6', 'Python 3.7', 'Python 3.8', 'Python 3.9']

[lwzSoviet]

It's "Lib/DocXMLRPCServer.py" in python2x or "Lib/xmlrpc/server.py" in python3x.

Steps to reproduce:

1.Lib/DocXMLRPCServer.py is “a documenting XML-RPC Server“,In the Class ServerHTMLDoc, method markup(), will escape the Special symbols to safe(such as <," etc).
2.But it only escape the content from server.set_server_name() and server.set_server_documentation(),the "title" content from the server.set_server_title() will not be escaped, so if I set_server_title('123</title><script>alert(1)</script>'), it will cause XSS because not escaped.
3.I see the alert in Chrome by visiting http://127.0.0.1,the Poc is the poc.py（run in python2.7） in attachments.
4.Problems seems to be at
https://github.com/python/cpython/blob/master/Lib/xmlrpc/server.py#L897 "return documenter.page(self.server_title,documentation)".Before this line,variable "documentation" has been escaped but self.server_title not.This is the main cause.

[tirkarthi]

Thanks for the report. There is a policy to report security vulnerabilities in CPython : https://www.python.org/news/security/.

[corona10]

Looks like this issue can be solved by below code changed.

@@ -833,7 +834,7 @@ class XMLRPCDocGenerator:
def set_server_title(self, server_title):
"""Set the HTML title of the generated server documentation"""

•    self.server_title = server_title
  

+ self.server_title = html.escape(server_title)

[corona10]

I've proposed the patch on GitHub which escaping the server_title when the documenter.page is called. (It different point with msg353132.

[vstinner]

Thanks for the report. There is a policy to report security vulnerabilities in CPython : https://www.python.org/news/security/.

The private security mailing list has been contacted first and we advice to open a public issue since we consider that it's not a major security issue.

To exploit this bug, the attacker has to control the XML-RPC server title.

[vstinner]

I've proposed the patch on GitHub which escaping the server_title when the documenter.page is called. (It different point with msg353132.

The attached poc.py seems to show that server name and server documentation are not escaped neither.

server.set_server_name('test<script>')
server.set_server_documentation('test<script>')

Well, please write a test to check that ;-)

[corona10]

@vstinner

Thank you for the feedback.
I've updated the PR with the unit test you suggested :-)

[vstinner]

New changeset e8650a4 by Victor Stinner (Dong-hee Na) in branch 'master':
bpo-38243, xmlrpc.server: Escape the server_title (GH-16373)
e8650a4

[miss-islington]

New changeset 39a0c75 by Miss Islington (bot) in branch '3.7':
bpo-38243, xmlrpc.server: Escape the server_title (GH-16373)
39a0c75

[miss-islington]

New changeset 6447b9f by Miss Islington (bot) in branch '3.8':
bpo-38243, xmlrpc.server: Escape the server_title (GH-16373)
6447b9f

[vstinner]

@Dong-Hee Na: Would you mind to try to backport the change to Python 2.7 which also has the bug?

[corona10]

Sure!

[ned-deily]

New changeset 1698cac by Ned Deily (Victor Stinner) in branch '3.6':
bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) (GH-16441)
1698cac

[vstinner]

New changeset 8eb6415 by Victor Stinner (Dong-hee Na) in branch '2.7':
[2.7] bpo-38243: Escape the server title of DocXMLRPCServer (GH-16447)
8eb6415

[vstinner]

I prefer to keep it open until the 3.5 backport is merged.

[corona10]

I prefer to keep it open until the 3.5 backport is merged.
Sorry, I didn't find it.
Yes, we should let it open until the PR is merged.

[larryhastings]

New changeset 3fe1b19 by larryhastings (Victor Stinner) in branch '3.5':
bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) (GH-16441) (bpo-16516)
3fe1b19

[vstinner]

CVE-2019-16935 has been assigned to this vulnerability.

[vstinner]

Charalampos Strataris's advice: If you backport the security fix and test_docxmlrpc starts to hang randomly, you should also backport bpo-27614 fix. For example, it's the commit 3911d83 for Python 2.7. We had the issue on RHEL 7.