Open Sami32 opened 5 years ago
christianbauer
commented
5 years ago I don't use or maintain Cling anymore. For this issue I would be willing to merge a pull request with a tested fix and do a new minor release. One of the many commercial users of Cling should have the budget to do this. I would assume the fix has to be done in https://github.com/4thline/seamless in the classes SAXParser and DOMParser.
Sami32
commented
5 years ago Thank you for answering and having informed us about this project status +1 Let's hope that some commercial projects will care for their customers security then.
I forgot to say that BubbleUPnP is probably the one exposing more users, with Plex. https://www.facebook.com/MyCloudPlayer/posts/bubbleupnp-upnpdlnawhats-new-sharing-to-bubbleupnp-from-the-my-cloud-player-for-/623858287682093/
Sami32
commented
5 years ago @christianbauer I just get an answer from BubbleUPnP developer on their XDA forum saying that they will address this issue in their next update, so let's hope they will be open source minded and push their fix into your Seamless project.
Sami32
commented
5 years ago The security issue wasn't fixed: https://github.com/UniversalMediaServer/UniversalMediaServer/issues/1522#issuecomment-435582701
So this issue should be re-opened.
Media servers using the Cling library have recently been spotted has having a security issue: https://www.exploit-db.com/exploits/45146/ https://www.exploit-db.com/exploits/45133/ https://www.exploit-db.com/exploits/45145/
The XML parser don't disable the inline DTDs parsing by default or do not provide a mean to disable it AFAIK.