XXE DoS in getsvgsize

[prodigysml]

Issue

Pepperminty-Wiki is vulnerable to XXE attacks due to the usage of the simplexml_load_file function without disabling entities. This leads to a confirmed denial of service scenario (https://en.wikipedia.org/wiki/Billion_laughs_attack) and may lead to execution of commands on the server.

Where the Issue Occurred

If an uploaded svg, containing the billion laughs payload, makes its way to the simplexml_load_file function, the denial of service scenario is triggered. This exact locations in the code are given below: https://github.com/sbrl/Pepperminty-Wiki/blob/e0aeda8b170ed5850c48641f4614cb115655dcdc/build/index.php#L5469 https://github.com/sbrl/Pepperminty-Wiki/blob/e0aeda8b170ed5850c48641f4614cb115655dcdc/modules/feature-upload.php#L624

Remediation

Prior to loading any xml, disable entities ensuring that the above-mentioned attacks will no longer be possible. libxml_disable_entity_loader(true);

[sbrl]

Oooh, thanks for the detailed report! I'll fix that right away and release a patch. I'll also add you to the credits page.

How did you discover it, out of curiosity?

[prodigysml]

I was actually just reading through your code and then realised it. Took a fair bit of searching before reporting to be sure. I guess I was more jist curious on how you handle the SVG files :)

[sbrl]

@ProDigySML Cool! I'll have a patch out in 1/2 hour max. I wasn't sure how to handle an SVG correctly, so I brainstormed a few ways to simply check if a valid SVG is being uploaded, and ended up check to make sure it's valid XML and that it's got a valid size.

The whole file upload system is a bit of a mess, tbh - but I'm not sure how I could tidy it up any further without rewriting the whole thing :P

[sbrl]

Released v0.15.1: https://github.com/sbrl/Pepperminty-Wiki/releases/tag/v0.15.1

Thanks for taking the time to do such a thorough investigation into the issue, @ProDigySML! I didn't even know that XML entities were a thing :P