exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

PyBlosxom XML Injection

PyBlosxom XML Injection
Posted Feb 9, 2009
Authored by Nam Nguyen | Site bluemoon.com.vn

PyBlosxom version 1.4.3 suffers from an XML injection issue.

tags | advisory, xxe
SHA-256 | 850fde8e257e3ae86d20194d89af20fdf32a82d2be7326005471f309eb090207

PyBlosxom XML Injection

Change Mirror Download
BLUE MOON SECURITY ADVISORY 2009-02
===================================


:Title: XML Injection in PyBlosxom
:Severity: Low
:Reporter: Blue Moon Consulting
:Products: PyBlosxom v1.4.3
:Fixed in: --


Description
-----------

PyBlosxom is a lightweight file-based weblog system. The project started as a Python clone of Blosxom but has since evolved into a beast of its own. PyBlosxom focuses on three things: simplicity, extensibility, and community.

In v1.4.3, PyBlosxom suffers an XML injection issue. This allows a malicious user to insert abitrary code into the XML output from PyBlosxom.

The problem is with Atom flavor. Its ``head.atom`` uses ``$(url)`` and ``$url`` variables, in many places, that were not properly escaped. Injection can be made by forcing PyBloxsom to use Atom flavor such as ``http://host/path/%3Ccool%3E?flav=atom``. A tag ``<cool>`` is injected in such URL.

Blue Moon Consulting has verified the bug in version 1.4.3. It is highly likely that it also exists in older versions starting from 1.3.

Workaround
----------

Disable Atom flavor by deleting ``atom.flav`` directory.

Fix
---

Users of PyBlosxom are advised to contact the vendor directly for a proper fix.

Disclosure
----------

Blue Moon Consulting adapts `RFPolicy v2.0 <http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors.

:Initial vendor contact:

February 07, 2009: Initial contact sent to Will Guaraldi.

:Vendor response:

February 07, 2009: Will replied PyBlosxom did not use XML, so there could be no XML injection bug.

:Further communication:

February 07, 2009: Replied to Will that we did find such bug.

February 08, 2009: Will was skeptical about the bug but asked us to file it in the bug tracker anyway.

February 08, 2009: We replied that filing security bug in a public bug tracker was not our disclosure practice. We again stated our disclosure policy and asked Will to accept it before we could send him further details.

February 08, 2009: Will said he would not make any agreement. We therefore decided to alert the public.

:Public disclosure: February 09, 2009

:Exploit code: No exploit code is needed.

Disclaimer
----------

The information provided in this advisory is provided "as is" without warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Your use of the information on the advisory or materials linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd reserves the right to change or update this notice at any time.
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    19 Files
  • 23
    Jul 23rd
    17 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close