XML external entities allows remote mapping of server file system
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Identity (keystone) |
Incomplete
|
Undecided
|
Unassigned | ||
Bug Description
Affects:
I have verified the following affects Folsom, but not Grizzly. However, given the impact, I believe that a security fix should be made available and back-ported to Folsom.
Impact:
Attackers may perform a dictionary brute force attack with the intention of mapping the server’s File System, therefore enumerating user accounts is also possible by brute forcing directory names under /home.
Details:
A vulnerability exists in the Middleware Serialization component (keystone/
Because Middleware Serialization routines are performed for all (authenticated and unauthenticated) requests, anonymous attackers may easily exploit the issue without needing Keystone credentials. This problem is also vulnerable to a reflected DoS attack.
Fix:
Disable Local and Remote ENTITYs in lxml. Return customized error messages to clients. Specifically...
parser = etree.XMLParser
| Thierry Carrez (ttx) wrote | #1 |
| Changed in keystone: | |
| status: | New → Incomplete |
| Bryan D. Payne (bdpayne) wrote | #2 |
| information type: | Private Security → Public |
I think that was taken care of for stable/folsom after:
commit 8a2274595ac628b
Author: Dolph Mathews <email address hidden>
Date: Tue Feb 19 09:04:11 2013 -0600
Disable XML entity parsing
Fixes bug 1100282 and bug 1100279.
Change-Id: Ibf2d73bca17b68
So this looks like a duplicate of bug 1100279