XXE in Import and RSS Extension
Closed, ResolvedPublic

Description

Similar to the issue in bug 46859, both the article import feature, and the RSS Extension parse user-supplied XML, without disabling external entities.

During import, the external entity is expanded (can trigger an http get, or could execute an expect:// handler), but the output is not shown (the parsing encounters and unexpected "mediawiki" element, and fails), so confidentiality of local files is not compromised.

While displaying an RSS feed with the RSS Extension, entities are expanded, and can be displayed to the user. A malicious RSS could compromise the confidentiality of local files, in addition to triggering http gets or executing expect:// handlers.


Version: unspecified
Severity: major

bzimport added a subscriber: Unknown Object (MLST).
bzimport set Reference to bz47251.
csteipp created this task.Via LegacyApr 15 2013, 3:54 PM
gerritbot added a comment.Via ConduitApr 15 2013, 8:53 PM

Related URL: https://gerrit.wikimedia.org/r/59202 (Gerrit Change I0b39386e6cf4ec0244aab8ebc4095922511e2964)

gerritbot added a comment.Via ConduitApr 15 2013, 10:47 PM

Related URL: https://gerrit.wikimedia.org/r/59342 (Gerrit Change I0b39386e6cf4ec0244aab8ebc4095922511e2964)

gerritbot added a comment.Via ConduitApr 15 2013, 11:12 PM

Related URL: https://gerrit.wikimedia.org/r/59349 (Gerrit Change I0b39386e6cf4ec0244aab8ebc4095922511e2964)

gerritbot added a comment.Via ConduitApr 15 2013, 11:28 PM

Related URL: https://gerrit.wikimedia.org/r/59357 (Gerrit Change I0b39386e6cf4ec0244aab8ebc4095922511e2964)

gerritbot added a comment.Via ConduitApr 16 2013, 6:09 AM

Related URL: https://gerrit.wikimedia.org/r/59377 (Gerrit Change I0b39386e6cf4ec0244aab8ebc4095922511e2964)

csteipp added a project: Security.Via WebMar 26 2015, 8:39 PM

Add Comment