[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py
longwenzhang
report at bugs.python.org
Fri Sep 20 22:17:30 EDT 2019
New submission from longwenzhang <pakecalvs at outlook.com>:
It's "Lib/DocXMLRPCServer.py" in python2x or "Lib/xmlrpc/server.py" in python3x.
Steps to reproduce:
1.Lib/DocXMLRPCServer.py is “a documenting XML-RPC Server“,In the Class ServerHTMLDoc, method markup(), will escape the Special symbols to safe(such as <," etc).
2.But it only escape the content from server.set_server_name() and server.set_server_documentation(),the "title" content from the server.set_server_title() will not be escaped, so if I set_server_title('123</title><script>alert(1)</script>'), it will cause XSS because not escaped.
3.I see the alert in Chrome by visiting http://127.0.0.1,the Poc is the poc.py(run in python2.7) in attachments.
4.Problems seems to be at
https://github.com/python/cpython/blob/master/Lib/xmlrpc/server.py#L897 "return documenter.page(self.server_title,documentation)".Before this line,variable "documentation" has been escaped but self.server_title not.This is the main cause.
----------
components: Library (Lib)
files: poc.py
messages: 352921
nosy: longwenzhang
priority: normal
severity: normal
status: open
title: A reflected XSS in python/Lib/DocXMLRPCServer.py
type: security
versions: Python 3.7
Added file: https://bugs.python.org/file48619/poc.py
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue38243>
_______________________________________
More information about the Python-bugs-list
mailing list