Skip to content

mofh Vulnerable to Improper Restriction of XML External Entity Reference

Moderate severity GitHub Reviewed Published Aug 7, 2022 in Wallvon/mofh • Updated Jan 7, 2023

Package

pip mofh (pip)

Affected versions

< 1.0.1

Patched versions

1.0.1

Description

The xml.etree.ElementTree module that mofh used up until version 1.0.1 implements a simple and efficient API for parsing and creating XML data. But it makes the application vulnerable to:

  • Billion Laughs attack: It is a type of denial-of-service attack aimed at XML parsers. It uses multiple levels of nested entities. If one large entity is repeated with a couple of thousand chars repeatedly, the parser gets overwhelmed.
  • Quadratic blowup attack: It is similar to a Billion Laughs attack. It abuses entity expansion, too. Instead of nested entities, it repeats one large entity with a couple of thousand chars repeatedly.

The Problem has been patched starting from version 1.0.1 by utilising the defusedxml package instead of xml.etree.ElementTree.

Workarounds

For this vulnerability to be exploited the user must be using a custom API URL, which has to be manually given using the api_url argument, or MyOwnFreeHost's API must be hacked. So, if the user did not use a custom API URL they should be fine, however, upgrading is still advised.

Another workaround could be to call defusedxml.defuse_stdlib() before making any requests using the client.

References

@Wallvon Wallvon published to Wallvon/mofh Aug 7, 2022
Published to the GitHub Advisory Database Aug 11, 2022
Reviewed Aug 11, 2022
Last updated Jan 7, 2023

Severity

Moderate

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-7r9x-qrpr-3cxw

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.