XXE DoS in getsvgsize #152
Comments
|
Oooh, thanks for the detailed report! I'll fix that right away and release a patch. I'll also add you to the credits page. How did you discover it, out of curiosity? |
|
I was actually just reading through your code and then realised it. Took a fair bit of searching before reporting to be sure. I guess I was more jist curious on how you handle the SVG files :) |
|
@prodigysml Cool! I'll have a patch out in 1/2 hour max. I wasn't sure how to handle an SVG correctly, so I brainstormed a few ways to simply check if a valid SVG is being uploaded, and ended up check to make sure it's valid XML and that it's got a valid size. The whole file upload system is a bit of a mess, tbh - but I'm not sure how I could tidy it up any further without rewriting the whole thing :P |
|
Released v0.15.1: https://github.com/sbrl/Pepperminty-Wiki/releases/tag/v0.15.1 Thanks for taking the time to do such a thorough investigation into the issue, @prodigysml! I didn't even know that XML entities were a thing :P |
Issue
Pepperminty-Wiki is vulnerable to XXE attacks due to the usage of the
simplexml_load_filefunction without disabling entities. This leads to a confirmed denial of service scenario (https://en.wikipedia.org/wiki/Billion_laughs_attack) and may lead to execution of commands on the server.Where the Issue Occurred
If an uploaded svg, containing the billion laughs payload, makes its way to the simplexml_load_file function, the denial of service scenario is triggered. This exact locations in the code are given below:
Pepperminty-Wiki/build/index.php
Line 5469 in e0aeda8
Pepperminty-Wiki/modules/feature-upload.php
Line 624 in e0aeda8
Remediation
Prior to loading any xml, disable entities ensuring that the above-mentioned attacks will no longer be possible.
libxml_disable_entity_loader(true);The text was updated successfully, but these errors were encountered: