XML external entity (XXE) vulnerability

Question

XML external entity (XXE) vulnerability

Sami32 opened this issue 6 years ago · comments

Media servers using the Cling library have recently been spotted has having a security issue:
https://www.exploit-db.com/exploits/45146/
https://www.exploit-db.com/exploits/45133/
https://www.exploit-db.com/exploits/45145/

The XML parser don't disable the inline DTDs parsing by default or do not provide a mean to disable it AFAIK.

Christian Bauer · Answer 1 · Mon Sep 24 2018 14:52:25 GMT+0800 (China Standard Time)

I don't use or maintain Cling anymore. For this issue I would be willing to merge a pull request with a tested fix and do a new minor release. One of the many commercial users of Cling should have the budget to do this. I would assume the fix has to be done in https://github.com/4thline/seamless in the classes SAXParser and DOMParser.

Related: 4thline/seamless#9

Samuel · Answer 2 · Tue Sep 25 2018 00:55:28 GMT+0800 (China Standard Time)

Thank you for answering and having informed us about this project status +1
Let's hope that some commercial projects will care for their customers security then.

I forgot to say that BubbleUPnP is probably the one exposing more users, with Plex.
https://www.facebook.com/MyCloudPlayer/posts/bubbleupnp-upnpdlnawhats-new-sharing-to-bubbleupnp-from-the-my-cloud-player-for-/623858287682093/

Samuel · Answer 3 · Tue Sep 25 2018 23:23:04 GMT+0800 (China Standard Time)

@christianbauer I just get an answer from BubbleUPnP developer on their XDA forum saying that they will address this issue in their next update, so let's hope they will be open source minded and push their fix into your Seamless project.

Samuel · Answer 4 · Sat Nov 03 2018 21:40:48 GMT+0800 (China Standard Time)

The security issue wasn't fixed:
UniversalMediaServer/UniversalMediaServer#1522 (comment)

So this issue should be re-opened.