XML external entities allows remote mapping of server file system
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Incomplete
|
Undecided
|
Unassigned |
Bug Description
Affects:
I have verified the following affects Folsom, but not Grizzly. However, given the impact, I believe that a security fix should be made available and back-ported to Folsom.
Impact:
Attackers may perform a dictionary brute force attack with the intention of mapping the server’s File System, therefore enumerating user accounts is also possible by brute forcing directory names under /home.
Details:
A vulnerability exists in the Middleware Serialization component (keystone/
Because Middleware Serialization routines are performed for all (authenticated and unauthenticated) requests, anonymous attackers may easily exploit the issue without needing Keystone credentials. This problem is also vulnerable to a reflected DoS attack.
Fix:
Disable Local and Remote ENTITYs in lxml. Return customized error messages to clients. Specifically...
parser = etree.XMLParser
information type: | Private Security → Public |
I think that was taken care of for stable/folsom after:
commit 8a2274595ac628b 2373eab0cb14690 f866b7a024
Author: Dolph Mathews <email address hidden>
Date: Tue Feb 19 09:04:11 2013 -0600
Disable XML entity parsing
Fixes bug 1100282 and bug 1100279.
Change-Id: Ibf2d73bca17b68 9cfa2dfd29eb15e a6e7458a123
So this looks like a duplicate of bug 1100279