Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XML external entity (XXE) vulnerability #243

Open
Sami32 opened this issue Sep 20, 2018 · 4 comments
Open

XML external entity (XXE) vulnerability #243

Sami32 opened this issue Sep 20, 2018 · 4 comments

Comments

@Sami32
Copy link

Sami32 commented Sep 20, 2018
edited
Loading

Media servers using the Cling library have recently been spotted has having a security issue:
https://www.exploit-db.com/exploits/45146/
https://www.exploit-db.com/exploits/45133/
https://www.exploit-db.com/exploits/45145/

The XML parser don't disable the inline DTDs parsing by default or do not provide a mean to disable it AFAIK.
@christianbauer
Copy link
Member

I don't use or maintain Cling anymore. For this issue I would be willing to merge a pull request with a tested fix and do a new minor release. One of the many commercial users of Cling should have the budget to do this. I would assume the fix has to be done in https://github.com/4thline/seamless in the classes SAXParser and DOMParser.

Related: 4thline/seamless#9

@christianbauer christianbauer mentioned this issue Sep 24, 2018
Open
@Sami32
Copy link
Author

Sami32 commented Sep 24, 2018

Thank you for answering and having informed us about this project status +1
Let's hope that some commercial projects will care for their customers security then.

I forgot to say that BubbleUPnP is probably the one exposing more users, with Plex.
https://www.facebook.com/MyCloudPlayer/posts/bubbleupnp-upnpdlnawhats-new-sharing-to-bubbleupnp-from-the-my-cloud-player-for-/623858287682093/

@Sami32
Copy link
Author

Sami32 commented Sep 25, 2018

@christianbauer I just get an answer from BubbleUPnP developer on their XDA forum saying that they will address this issue in their next update, so let's hope they will be open source minded and push their fix into your Seamless project.

@SubJunk SubJunk mentioned this issue Oct 9, 2018
Open
@Sami32
Copy link
Author

Sami32 commented Nov 3, 2018

The security issue wasn't fixed:
UniversalMediaServer/UniversalMediaServer#1522 (comment)

So this issue should be re-opened.

@christianbauer christianbauer reopened this Nov 6, 2018
JasonMahdjoub added a commit to JasonMahdjoub/UPnPIGD that referenced this issue Mar 25, 2022
@JasonMahdjoub
FIX XXE issue : 4thline/cling#243
b1089e9
JasonMahdjoub added a commit to JasonMahdjoub/MaDKitLanEdition that referenced this issue Mar 25, 2022
@JasonMahdjoub
FIX XXE issue : 4thline/cling#243
4c61f99
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@christianbauer @Sami32