Impact

The xml.etree.ElementTree module that mofh used up until version 1.0.1 implements a simple and efficient API for parsing and creating XML data. But it makes the application vulnerable to:

• Billion Laughs attack: It is a type of denial-of-service attack aimed at XML parsers. It uses multiple levels of nested entities. If one large entity is repeated with a couple of thousand chars repeatedly, the parser gets overwhelmed.
• Quadratic blowup attack: It is similar to a Billion Laughs attack. It abuses entity expansion, too. Instead of nested entities, it repeats one large entity with a couple of thousand chars repeatedly.

Patches

The Problem has been patched starting from version 1.0.1 by utilising the defusedxml package instead of xml.etree.ElementTree.

Workarounds

For this vulnerability to be exploited the user must be using a custom API URL, which has to be manually given using the api_url argument, or MyOwnFreeHost's API must be hacked. So, if the user did not use a custom API URL they should be fine, however, upgrading is still advised.

Another workaround could be to call defusedxml.defuse_stdlib() before making any requests using the client.

References

https://en.wikipedia.org/wiki/Billion_laughs_attack
https://www.acunetix.com/vulnerabilities/web/xml-quadratic-blowup-denial-of-service-attack/
https://docs.python.org/3/library/xml.html#xml-vulnerabilities
https://cwe.mitre.org/data/definitions/611.html
https://cve.circl.lu/cve/CVE-2013-1664
https://cve.circl.lu/cve/CVE-2013-1665
https://pypi.org/project/defusedxml/

For more information

If you have any questions or comments about this advisory:

• Open an issue in mofh's repository
• Email me at admin[at]robert-s.dev