yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #02100
[Bug 1100279] Re: Local file leak through entities in XML requests (CVE-2013-1665)
** Changed in: keystone/folsom
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1100279
Title:
Local file leak through entities in XML requests (CVE-2013-1665)
Status in OpenStack Identity (Keystone):
Fix Released
Status in Keystone essex series:
Fix Committed
Status in Keystone folsom series:
Fix Released
Bug description:
Evil XML ! Jonathan Murray from NCC Group reported that you can leak
local file contents using XML entities in Keystone requests:
POST /v2.0//OS-KSDM/roles HTTP/1.1
x-auth-token: d0e1a2d3b4e5e6f7
content-type: application/xml
<!DOCTYPE doc [ <!ENTITY eny SYSTEM "file:///etc/passwd"> ]>
<role>
<name>&ent;</name>
</role>
just returns the content of the local file in role.name.
Looks like we should disable parsing entities altogether, they seem to
be exploitable ion pretty awesome ways. I'm not sure only Keystone is
affected by this.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1100279/+subscriptions