Headline
GHSA-7r9x-qrpr-3cxw: mofh Vulnerable to Improper Restriction of XML External Entity Reference
The xml.etree.ElementTree module that mofh used up until version 1.0.1 implements a simple and efficient API for parsing and creating XML data. But it makes the application vulnerable to:
- Billion Laughs attack: It is a type of denial-of-service attack aimed at XML parsers. It uses multiple levels of nested entities. If one large entity is repeated with a couple of thousand chars repeatedly, the parser gets overwhelmed.
- Quadratic blowup attack: It is similar to a Billion Laughs attack. It abuses entity expansion, too. Instead of nested entities, it repeats one large entity with a couple of thousand chars repeatedly.
The Problem has been patched starting from version 1.0.1 by utilising the defusedxml package instead of xml.etree.ElementTree.
Workarounds
For this vulnerability to be exploited the user must be using a custom API URL, which has to be manually given using the api_url argument, or MyOwnFreeHost’s API must be hacked. So, if the user did not use a custom API URL they should be fine, however, upgrading is still advised.
Another workaround could be to call defusedxml.defuse_stdlib() before making any requests using the client.
The xml.etree.ElementTree module that mofh used up until version 1.0.1 implements a simple and efficient API for parsing and creating XML data. But it makes the application vulnerable to:
- Billion Laughs attack: It is a type of denial-of-service attack aimed at XML parsers. It uses multiple levels of nested entities. If one large entity is repeated with a couple of thousand chars repeatedly, the parser gets overwhelmed.
- Quadratic blowup attack: It is similar to a Billion Laughs attack. It abuses entity expansion, too. Instead of nested entities, it repeats one large entity with a couple of thousand chars repeatedly.
The Problem has been patched starting from version 1.0.1 by utilising the defusedxml package instead of xml.etree.ElementTree.
Workarounds
For this vulnerability to be exploited the user must be using a custom API URL, which has to be manually given using the api_url argument, or MyOwnFreeHost’s API must be hacked. So, if the user did not use a custom API URL they should be fine, however, upgrading is still advised.
Another workaround could be to call defusedxml.defuse_stdlib() before making any requests using the client.
References
- GHSA-7r9x-qrpr-3cxw
- Wallvon/mofh@da0d33c
- https://www.acunetix.com/vulnerabilities/web/xml-quadratic-blowup-denial-of-service-attack/