Headline
CVE-2019-16935: Issue 38243: [security][CVE-2019-16935] A reflected XSS in python/Lib/DocXMLRPCServer.py
The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.
Issue38243
Created on 2019-09-21 02:17 by longwenzhang, last changed 2022-04-11 14:59 by admin. This issue is now closed.
Files
File name
Uploaded
Description
Edit
poc.py
longwenzhang, 2019-09-21 02:17
Pull Requests
URL
Status
Linked
Edit
PR 16373
merged
corona10, 2019-09-25 04:23
PR 16439
merged
miss-islington, 2019-09-27 20:00
PR 16440
merged
miss-islington, 2019-09-27 20:00
PR 16441
merged
vstinner, 2019-09-27 20:03
PR 16447
merged
corona10, 2019-09-28 01:20
PR 16516
merged
vstinner, 2019-10-01 10:59
Messages (19)
msg352921 - (view)
Author: longwenzhang (longwenzhang) *
Date: 2019-09-21 02:17
It’s “Lib/DocXMLRPCServer.py” in python2x or “Lib/xmlrpc/server.py” in python3x.
Steps to reproduce:
1.Lib/DocXMLRPCServer.py is “a documenting XML-RPC Server“,In the Class ServerHTMLDoc, method markup(), will escape the Special symbols to safe(such as <," etc). 2.But it only escape the content from server.set_server_name() and server.set_server_documentation(),the “title” content from the server.set_server_title() will not be escaped, so if I set_server_title(‘123</title><script>alert(1)</script>’), it will cause XSS because not escaped. 3.I see the alert in Chrome by visiting http://127.0.0.1,the Poc is the poc.py(run in python2.7) in attachments. 4.Problems seems to be at https://github.com/python/cpython/blob/master/Lib/xmlrpc/server.py#L897 "return documenter.page(self.server_title,documentation)".Before this line,variable “documentation” has been escaped but self.server_title not.This is the main cause.
msg352922 - (view)
Author: Karthikeyan Singaravelan (xtreak) *
Date: 2019-09-21 04:25
Thanks for the report. There is a policy to report security vulnerabilities in CPython : https://www.python.org/news/security/.
msg353132 - (view)
Author: Dong-hee Na (corona10) *
Date: 2019-09-25 02:08
Looks like this issue can be solved by below code changed.
@@ -833,7 +834,7 @@ class XMLRPCDocGenerator: def set_server_title(self, server_title): “""Set the HTML title of the generated server documentation""”
self.server\_title = server\_title
self.server\_title = html.escape(server\_title)
msg353140 - (view)
Author: Dong-hee Na (corona10) *
Date: 2019-09-25 04:40
I’ve proposed the patch on GitHub which escaping the server_title when the documenter.page is called. (It different point with msg353132.
msg353169 - (view)
Author: STINNER Victor (vstinner) *
Date: 2019-09-25 11:00
> Thanks for the report. There is a policy to report security vulnerabilities in CPython : https://www.python.org/news/security/.
The private security mailing list has been contacted first and we advice to open a public issue since we consider that it’s not a major security issue.
To exploit this bug, the attacker has to control the XML-RPC server title.
msg353170 - (view)
Author: STINNER Victor (vstinner) *
Date: 2019-09-25 11:01
> I’ve proposed the patch on GitHub which escaping the server_title when the documenter.page is called. (It different point with msg353132.
The attached poc.py seems to show that server name and server documentation are not escaped neither.
server.set_server_name(‘test<script>’) server.set_server_documentation(‘test<script>’)
Well, please write a test to check that ;-)
msg353301 - (view)
Author: Dong-hee Na (corona10) *
Date: 2019-09-26 13:17
@vstinner
Thank you for the feedback. I’ve updated the PR with the unit test you suggested :-)
msg353395 - (view)
Author: STINNER Victor (vstinner) *
Date: 2019-09-27 19:59
New changeset e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa by Victor Stinner (Dong-hee Na) in branch 'master’: bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) https://github.com/python/cpython/commit/e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa
msg353403 - (view)
Author: miss-islington (miss-islington)
Date: 2019-09-27 20:18
New changeset 39a0c7555530e31c6941a78da19b6a5b61170687 by Miss Islington (bot) in branch '3.7’: bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) https://github.com/python/cpython/commit/39a0c7555530e31c6941a78da19b6a5b61170687
msg353404 - (view)
Author: miss-islington (miss-islington)
Date: 2019-09-27 20:19
New changeset 6447b9f9bd27e1f6b04cef674dd3a7ab27bf4f28 by Miss Islington (bot) in branch '3.8’: bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) https://github.com/python/cpython/commit/6447b9f9bd27e1f6b04cef674dd3a7ab27bf4f28
msg353407 - (view)
Author: STINNER Victor (vstinner) *
Date: 2019-09-27 20:27
@Dong-hee Na: Would you mind to try to backport the change to Python 2.7 which also has the bug?
msg353418 - (view)
Author: Dong-hee Na (corona10) *
Date: 2019-09-27 21:49
Sure!
msg353440 - (view)
Author: Ned Deily (ned.deily) *
Date: 2019-09-28 07:33
New changeset 1698cacfb924d1df452e78d11a4bf81ae7777389 by Ned Deily (Victor Stinner) in branch '3.6’: bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) (GH-16441) https://github.com/python/cpython/commit/1698cacfb924d1df452e78d11a4bf81ae7777389
msg353668 - (view)
Author: STINNER Victor (vstinner) *
Date: 2019-10-01 10:58
New changeset 8eb64155ff26823542ccf0225b3d57b6ae36ea89 by Victor Stinner (Dong-hee Na) in branch '2.7’: [2.7] bpo-38243: Escape the server title of DocXMLRPCServer (GH-16447) https://github.com/python/cpython/commit/8eb64155ff26823542ccf0225b3d57b6ae36ea89
msg353677 - (view)
Author: STINNER Victor (vstinner) *
Date: 2019-10-01 11:51
I prefer to keep it open until the 3.5 backport is merged.
msg353689 - (view)
Author: Dong-hee Na (corona10) *
Date: 2019-10-01 12:21
> I prefer to keep it open until the 3.5 backport is merged. Sorry, I didn’t find it. Yes, we should let it open until the PR is merged.
msg355614 - (view)
Author: Larry Hastings (larry) *
Date: 2019-10-29 05:40
New changeset 3fe1b19265b55c290fc956e9aafcf661803782de by larryhastings (Victor Stinner) in branch '3.5’: bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) (GH-16441) (#16516) https://github.com/python/cpython/commit/3fe1b19265b55c290fc956e9aafcf661803782de
msg361819 - (view)
Author: STINNER Victor (vstinner) *
Date: 2020-02-11 14:36
CVE-2019-16935 has been assigned to this vulnerability.
msg364855 - (view)
Author: STINNER Victor (vstinner) *
Date: 2020-03-23 14:58
Charalampos Strataris’s advice: If you backport the security fix and test_docxmlrpc starts to hang randomly, you should also backport bpo-27614 fix. For example, it’s the commit 3911d8333c5b6f9374fa11ab7c912f1471580f0f for Python 2.7. We had the issue on RHEL 7.
History
Date
User
Action
Args
2022-04-11 14:59:20
admin
set
github: 82424
2020-03-23 14:58:02
vstinner
set
messages: + msg364855
2020-02-11 14:36:14
vstinner
set
messages: + msg361819
title: A reflected XSS in python/Lib/DocXMLRPCServer.py -> [security][CVE-2019-16935] A reflected XSS in python/Lib/DocXMLRPCServer.py
2019-10-29 05:43:00
larry
set
status: open -> closed
resolution: fixed
2019-10-29 05:40:18
larry
set
nosy: + larry
messages: + msg355614
2019-10-01 12:21:52
corona10
set
messages: + msg353689
2019-10-01 11:51:17
vstinner
set
status: closed -> open
resolution: fixed -> (no value)
messages: + msg353677
2019-10-01 11:28:39
corona10
set
status: open -> closed
resolution: fixed
stage: patch review -> resolved
2019-10-01 10:59:41
vstinner
set
pull_requests: + pull_request16106
2019-10-01 10:58:04
vstinner
set
messages: + msg353668
2019-09-28 07:33:05
ned.deily
set
nosy: + ned.deily
messages: + msg353440
2019-09-28 01:20:27
corona10
set
pull_requests: + pull_request16026
2019-09-27 21:49:22
corona10
set
messages: + msg353418
2019-09-27 20:27:01
vstinner
set
messages: + msg353407
2019-09-27 20:19:44
miss-islington
set
messages: + msg353404
2019-09-27 20:18:19
miss-islington
set
nosy: + miss-islington
messages: + msg353403
2019-09-27 20:03:20
vstinner
set
pull_requests: + pull_request16020
2019-09-27 20:00:25
miss-islington
set
pull_requests: + pull_request16019
2019-09-27 20:00:15
miss-islington
set
pull_requests: + pull_request16018
2019-09-27 19:59:40
vstinner
set
messages: + msg353395
2019-09-26 13:17:38
corona10
set
messages: + msg353301
2019-09-25 11:01:41
vstinner
set
messages: + msg353170
2019-09-25 11:00:43
vstinner
set
messages: + msg353169
2019-09-25 04:40:29
corona10
set
messages: + msg353140
2019-09-25 04:23:41
corona10
set
keywords: + patch
stage: patch review
pull_requests: + pull_request15953
2019-09-25 02:08:49
corona10
set
messages: + msg353132
2019-09-25 01:43:44
corona10
set
nosy: + corona10
2019-09-25 01:10:13
vstinner
set
nosy: + vstinner, mdk
2019-09-21 19:34:38
ned.deily
set
keywords: + security_issue
priority: normal -> high
versions: + Python 2.7, Python 3.5, Python 3.6, Python 3.8, Python 3.9
2019-09-21 04:25:04
xtreak
set
nosy: + xtreak
messages: + msg352922
2019-09-21 02:17:30
longwenzhang
create
Related news
Ubuntu Security Notice 6891-1 - It was discovered that Python incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 18.04 LTS. It was discovered that Python incorrectly used regular expressions vulnerable to catastrophic backtracking. A remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS.
Dell EMC Metro node, Version(s) prior to 7.1, contain a Code Injection Vulnerability. An authenticated nonprivileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application.
Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).