Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Blind SSRF vulnerability #246

Closed
traut opened this issue Oct 14, 2020 · 3 comments · Fixed by #247
Closed

Blind SSRF vulnerability #246

traut opened this issue Oct 14, 2020 · 3 comments · Fixed by #247

Comments

@traut
Copy link
Contributor

traut commented Oct 14, 2020
edited
Loading

When the content that starts with http:// is passed to libtaxii's parse method, the library executes HTTP GET request, even though no_network is set to True on the XML parser.

Executing

from libtaxii.common import parse
parse("http://test-domain.local?junkdata")

will trigger a GET request to http://test-domain.local?junkdata

This means that maliciously crafted TAXII request can trigger blind SSRF

reproducible in libtaxii v1.1.117

from eclecticiq/OpenTAXII#176
@emmanvg
Copy link
Contributor

emmanvg commented Oct 14, 2020
edited
Loading

Hi @traut, the parse method defined in libtaxii wraps the lxml library etree.parse() or etree.XML() method. I looked at the configuration defined on the OpenTAXII repo and it looks similar to the configuration provided in libtaxii as default when no parser is set get_xml_parser. I would raise this issue to the lxml group and include more information about the finding. Hope this helps!

Homepage - https://lxml.de/

@JasonKeirstead
Copy link

JasonKeirstead commented Oct 15, 2020
edited
Loading

https://docs.python.org/3/library/xml.html#the-defusedxml-and-defusedexpat-packages

Might want to leverage https://pypi.org/project/defusedxml/

@orsinium orsinium mentioned this issue Oct 16, 2020
Merged
@orsinium
Copy link
Contributor

CVE-2020-27197

@ghost ghost mentioned this issue Oct 21, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[CVE-2020-27197] Avoid SSRF on parsing XML orsinium-forks/libtaxii
4 participants
@traut @JasonKeirstead @emmanvg @orsinium