[BMSA-2009-02] XML injection in PyBlosxom

To: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: [BMSA-2009-02] XML injection in PyBlosxom
From: Nam Nguyen <namn@xxxxxxxxxxxxxxx>
Date: Mon, 9 Feb 2009 09:34:02 +0700
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Blue Moon Consulting Co., Ltd

BLUE MOON SECURITY ADVISORY 2009-02
===================================


:Title: XML Injection in PyBlosxom
:Severity: Low
:Reporter: Blue Moon Consulting
:Products: PyBlosxom v1.4.3
:Fixed in: --


Description
-----------

PyBlosxom is a lightweight file-based weblog system. The project started as a 
Python clone of Blosxom but has since evolved into a beast of its own. 
PyBlosxom focuses on three things: simplicity, extensibility, and community.

In v1.4.3, PyBlosxom suffers an XML injection issue. This allows a malicious 
user to insert abitrary code into the XML output from PyBlosxom.

The problem is with Atom flavor. Its ``head.atom`` uses ``$(url)`` and ``$url`` 
variables, in many places, that were not properly escaped. Injection can be 
made by forcing PyBloxsom to use Atom flavor such as 
``http://host/path/%3Ccool%3E?flav=atom``. A tag ``<cool>`` is injected in such 
URL.

Blue Moon Consulting has verified the bug in version 1.4.3. It is highly likely 
that it also exists in older versions starting from 1.3.

Workaround
----------

Disable Atom flavor by deleting ``atom.flav`` directory.

Fix
---

Users of PyBlosxom are advised to contact the vendor directly for a proper fix.

Disclosure
----------

Blue Moon Consulting adapts `RFPolicy v2.0 
<http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors.

:Initial vendor contact:

  February 07, 2009: Initial contact sent to Will Guaraldi.

:Vendor response:

  February 07, 2009: Will replied PyBlosxom did not use XML, so there could be 
no XML injection bug.

:Further communication:

  February 07, 2009: Replied to Will that we did find such bug.

  February 08, 2009: Will was skeptical about the bug but asked us to file it 
in the bug tracker anyway.

  February 08, 2009: We replied that filing security bug in a public bug 
tracker was not our disclosure practice. We again stated our disclosure policy 
and asked Will to accept it before we could send him further details.

  February 08, 2009: Will said he would not make any agreement. We therefore 
decided to alert the public. 

:Public disclosure: February 09, 2009

:Exploit code: No exploit code is needed.

Disclaimer
----------

The information provided in this advisory is provided "as is" without warranty 
of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either 
express or implied, including the warranties of merchantability and fitness for 
a particular purpose. Your use of the information on the advisory or materials 
linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd 
reserves the right to change or update this notice at any time.

Attachment: pgpg2CxOiaFLI.pgp
Description: PGP signature

Prev by Date: Re: SFX-SQLi: A new SQL injection technique for MSSQL (dumps a table in one request!)
Next by Date: PHP filesystem attack vectors
Previous by thread: [SECURITY] [DSA 1718-1] New boinc packages fix validation bypass
Next by thread: PHP filesystem attack vectors
Index(es):
- Date
- Thread