-
Notifications
You must be signed in to change notification settings - Fork 183
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XML Injection DoS attack #87
Labels
Comments
This apparently was assigned CVE-2019-1010017. |
It seems there has been somework on XML bomb attacks in the past. Maybe it's best to update here and get it fixed? |
Please refer to #101 for a suggested fix. |
will be fixed by PR #107 as soon as travis wakes up |
fixed by new release v0.7.2. Package is also available in pip:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Issue
Libnmap is vulnerable to XML Bomb attacks using the following:
https://en.wikipedia.org/wiki/Billion_laughs_attack
Where the Issue Occurred
The issue occurs within parsing of XML reports for nmap. The exact line where the vulnerable parsing occurs is given below:
python-libnmap/libnmap/parser.py
Line 90 in 9cf3a54
Reproduction steps
Run the following code:
Remediation
Python does not contain any fixes for this vulnerability, but that doesn't mean it can't be fixed. Searching for the word DOCTYPE, prior to parsing, and raising an exception should patch the issue.
The text was updated successfully, but these errors were encountered: