XXE in Import and RSS Extension
Closed, ResolvedPublic

Description

Similar to the issue in bug 46859, both the article import feature, and the RSS Extension parse user-supplied XML, without disabling external entities.

During import, the external entity is expanded (can trigger an http get, or could execute an expect:// handler), but the output is not shown (the parsing encounters and unexpected "mediawiki" element, and fails), so confidentiality of local files is not compromised.

While displaying an RSS feed with the RSS Extension, entities are expanded, and can be displayed to the user. A malicious RSS could compromise the confidentiality of local files, in addition to triggering http gets or executing expect:// handlers.


Version: unspecified
Severity: major

Details

Reference
bz47251
bzimport set Reference to bz47251.
bzimport added a subscriber: Unknown Object (MLST).
csteipp created this task.Apr 15 2013, 3:54 PM

Related URL: https://gerrit.wikimedia.org/r/59202 (Gerrit Change I0b39386e6cf4ec0244aab8ebc4095922511e2964)

Related URL: https://gerrit.wikimedia.org/r/59342 (Gerrit Change I0b39386e6cf4ec0244aab8ebc4095922511e2964)

Related URL: https://gerrit.wikimedia.org/r/59349 (Gerrit Change I0b39386e6cf4ec0244aab8ebc4095922511e2964)

Related URL: https://gerrit.wikimedia.org/r/59357 (Gerrit Change I0b39386e6cf4ec0244aab8ebc4095922511e2964)

Related URL: https://gerrit.wikimedia.org/r/59377 (Gerrit Change I0b39386e6cf4ec0244aab8ebc4095922511e2964)

Add Comment