Closed prodigysml closed 6 years ago
Oooh, thanks for the detailed report! I'll fix that right away and release a patch. I'll also add you to the credits page.
How did you discover it, out of curiosity?
I was actually just reading through your code and then realised it. Took a fair bit of searching before reporting to be sure. I guess I was more jist curious on how you handle the SVG files :)
@ProDigySML Cool! I'll have a patch out in 1/2 hour max. I wasn't sure how to handle an SVG correctly, so I brainstormed a few ways to simply check if a valid SVG is being uploaded, and ended up check to make sure it's valid XML and that it's got a valid size.
The whole file upload system is a bit of a mess, tbh - but I'm not sure how I could tidy it up any further without rewriting the whole thing :P
Released v0.15.1: https://github.com/sbrl/Pepperminty-Wiki/releases/tag/v0.15.1
Thanks for taking the time to do such a thorough investigation into the issue, @ProDigySML! I didn't even know that XML entities were a thing :P
Issue
Pepperminty-Wiki is vulnerable to XXE attacks due to the usage of the
simplexml_load_file
function without disabling entities. This leads to a confirmed denial of service scenario (https://en.wikipedia.org/wiki/Billion_laughs_attack) and may lead to execution of commands on the server.Where the Issue Occurred
If an uploaded svg, containing the billion laughs payload, makes its way to the simplexml_load_file function, the denial of service scenario is triggered. This exact locations in the code are given below: https://github.com/sbrl/Pepperminty-Wiki/blob/e0aeda8b170ed5850c48641f4614cb115655dcdc/build/index.php#L5469 https://github.com/sbrl/Pepperminty-Wiki/blob/e0aeda8b170ed5850c48641f4614cb115655dcdc/modules/feature-upload.php#L624
Remediation
Prior to loading any xml, disable entities ensuring that the above-mentioned attacks will no longer be possible.
libxml_disable_entity_loader(true);