Skip to content
This repository has been archived by the owner on Oct 1, 2020. It is now read-only.

XML External Entity (XXE) Vulnerability in Latest Release #676

Open
HatBoy opened this issue Mar 21, 2019 · 1 comment
Open

XML External Entity (XXE) Vulnerability in Latest Release #676

HatBoy opened this issue Mar 21, 2019 · 1 comment

Comments

@HatBoy
Copy link

HatBoy commented Mar 21, 2019

Hi, I would like to report XML External Entity (XXE) vulnerability in latest release.
Description:
XML External Entity (XXE) vulnerability in quokka/utils/atom.py 157 line and auokka/core/content/views.py 94 line, Because there is no filter authors, title.
Steps To Reproduce:
1.Create a article, title and authors can insert XML payload.
2.Open the url:
http://192.168.100.8:8000/author/{author}/index.rss
http://192.168.100.8:8000/author/{author}/index.atom
can see the title and authors has inserted into the XML.
3
4
5

author by jin.dong@dbappsecurity.com.cn
@marcosptf marcosptf mentioned this issue May 19, 2019
Open
@marcosptf
Copy link
Collaborator

was removed WIP from pr and fixed this issue:
hotfix ready to merge: please make your comments and reviews:
#679

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@marcosptf @HatBoy