Mahara

XEE possible in mahara

Bug #1047111 reported by Melissa Draper
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
Critical
Hugh Davenport
Mahara 1.6.0
1.4
Fix Released
Critical
Hugh Davenport
Mahara 1.4.4
1.5
Fix Released
Critical
Hugh Davenport
Mahara 1.5.3

Bug Description

There is a security issue with the default XML parser for PHP, where ENTITY fields are
loaded and substituted in text parts.

This allows possible attackers to read from internal networks, or files readable by the
web server user.

This includes reading of the config.php file, which contains sensitive information such
as the database password, and the password salt field.

The fix for this was to include a call to libxml_disable_entity_loader(true) during the
initialization of a page.

More information can be found at the following:
 http://projects.webappsec.org/w/page/13247003/XML%20External%20Entities
 http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html

Reported by Mike Haworth.

See original description
Melissa Draper (melissa)
summary: - XXE possible in mahara
+ XEE possible in mahara
Revision history for this message
Hugh Davenport (hugh-davenport) wrote :

note that this won't change the default block title if it contains secure content in it, only block content

Revision history for this message
Hugh Davenport (hugh-davenport) wrote :

note that this won't change the default block title if it contains secure content in it, only block content

Revision history for this message
Hugh Davenport (hugh-davenport) wrote :
Revision history for this message
Hugh Davenport (hugh-davenport) wrote :
Revision history for this message
Hugh Davenport (hugh-davenport) wrote :
Revision history for this message
Hugh Davenport (hugh-davenport) wrote :
Revision history for this message
Melissa Draper (melissa) wrote :

The final fixes for this bug are as follows:

1.4: https://reviews.mahara.org/#/c/1668/
1.5: https://reviews.mahara.org/#/c/1669/
1.6: https://reviews.mahara.org/#/c/1670/

visibility: private → public
Revision history for this message
Melissa Draper (melissa) wrote :
Melissa Draper (melissa)
description: updated
Melissa Draper (melissa)
Changed in mahara:
status: Confirmed → Fix Committed
Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/1784
Committed: http://gitorious.org/mahara/mahara/commit/9748c636d45712f23ec730e09a9edbf14c49956b
Submitter: Melissa Draper (<email address hidden>)
Branch: master

commit 9748c636d45712f23ec730e09a9edbf14c49956b
Author: Hugh Davenport <email address hidden>
Date: Tue Oct 16 13:25:56 2012 +1300

    Fix Leap2A import from Moodle

    Related to bug #1047111

    That bug fixed the XXE attack by setting the following to true
     libxml_disable_entity_loader

    This caused issues with the leap2a importer used by mnet, which
    used the simplexml_load to load the xml which relies on file
    based remote entities. For this situation, a the following flag
    is used, which stops network based XXE attacks
     LIBXML_NONET

    Change-Id: I3d95ebc9c38374d339d66a80feaa39f5c15f1022
    Signed-off-by: Hugh Davenport <email address hidden>

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/1790
Committed: http://gitorious.org/mahara/mahara/commit/353870b01a0ba0d6c94c8f7c4e30cabf5627d95f
Submitter: Melissa Draper (<email address hidden>)
Branch: 1.4_STABLE

commit 353870b01a0ba0d6c94c8f7c4e30cabf5627d95f
Author: Hugh Davenport <email address hidden>
Date: Tue Oct 16 13:25:56 2012 +1300

    Fix Leap2A import from Moodle

    Related to bug #1047111

    That bug fixed the XXE attack by setting the following to true
     libxml_disable_entity_loader

    This caused issues with the leap2a importer used by mnet, which
    used the simplexml_load to load the xml which relies on file
    based remote entities. For this situation, a the following flag
    is used, which stops network based XXE attacks
     LIBXML_NONET

    Change-Id: I3d95ebc9c38374d339d66a80feaa39f5c15f1022
    Signed-off-by: Hugh Davenport <email address hidden>

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/1792
Committed: http://gitorious.org/mahara/mahara/commit/c1a8c97f665cb558d3c58f0e68bd059c8bfe7fde
Submitter: Melissa Draper (<email address hidden>)
Branch: 1.6_STABLE

commit c1a8c97f665cb558d3c58f0e68bd059c8bfe7fde
Author: Hugh Davenport <email address hidden>
Date: Tue Oct 16 13:25:56 2012 +1300

    Fix Leap2A import from Moodle

    Related to bug #1047111

    That bug fixed the XXE attack by setting the following to true
     libxml_disable_entity_loader

    This caused issues with the leap2a importer used by mnet, which
    used the simplexml_load to load the xml which relies on file
    based remote entities. For this situation, a the following flag
    is used, which stops network based XXE attacks
     LIBXML_NONET

    Change-Id: I3d95ebc9c38374d339d66a80feaa39f5c15f1022
    Signed-off-by: Hugh Davenport <email address hidden>

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/1791
Committed: http://gitorious.org/mahara/mahara/commit/ecc08a242be1b23fcb10bc4d96e93da128c3a3d6
Submitter: Melissa Draper (<email address hidden>)
Branch: 1.5_STABLE

commit ecc08a242be1b23fcb10bc4d96e93da128c3a3d6
Author: Hugh Davenport <email address hidden>
Date: Tue Oct 16 13:25:56 2012 +1300

    Fix Leap2A import from Moodle

    Related to bug #1047111

    That bug fixed the XXE attack by setting the following to true
     libxml_disable_entity_loader

    This caused issues with the leap2a importer used by mnet, which
    used the simplexml_load to load the xml which relies on file
    based remote entities. For this situation, a the following flag
    is used, which stops network based XXE attacks
     LIBXML_NONET

    Change-Id: I3d95ebc9c38374d339d66a80feaa39f5c15f1022
    Signed-off-by: Hugh Davenport <email address hidden>

Revision history for this message
Hugh Davenport (hugh-davenport) wrote :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 status fixreleased
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iJwEAQECAAYFAlCbHO8ACgkQuMoJ2LQ3zxH8TAP/YN4BiCJZsn5a899/0UzV31Qg
lM8LXAwZWa6zFv6t0BQUHCqe6eFK9wPp51qgCWWXjUZ3vvvVcsyeWp6626aBFKSU
pCQXI9E7huPw802nJQ9WcZXRBUmgw87ww72Tx4mybnu7SPSrkZgXdnPGSMwDs89N
oWvTpl7Xuac48e6p0lU=
=ouU+
-----END PGP SIGNATURE-----

Changed in mahara:
status: Fix Committed → Fix Released
Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/2102
Committed: http://gitorious.org/mahara/mahara/commit/f33d4cef66356d3fd96c54bde58bee983d6e61a1
Submitter: Aaron Wells (<email address hidden>)
Branch: master

commit f33d4cef66356d3fd96c54bde58bee983d6e61a1
Author: Aaron Wells <email address hidden>
Date: Wed May 1 14:16:23 2013 +1200

Documenting safe usage of simplexml_load_file()

Bug1047111

Change-Id: I850603dbc1d85f4360ce227d2658e5abb51af1aa

Revision history for this message
Aaron Wells (u-aaronw) wrote :

I added a comment to init.php explaining why we used libxml_disable_entity_loader(), and the safe way to use simplexml_load_file with LIBXML_NONET: https://reviews.mahara.org/#/c/2102/

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.