thanks for the very detailed report!!! I have adopted that patch for our now dated version of openpyxl -- upload is coming shortly
On Tue, 07 Feb 2017, Ulikowski, Marcin wrote: > Package: python-openpyxl > Version: <= 2.3.5 > Openpyxl is vulnerable to XXE which allows reading local files and DoS an > application. Openpyxl uses lxml which by default does resolve external > entities and thus causes this vulnerability. This issue has been already > reported to Openpyxl developers and was fixed about two weeks ago. > https://bitbucket.org/openpyxl/openpyxl/commits/3b4905f428e1 > I'm attaching PoC code (xxe-poc.zip) which demonstrates this vulnerability. > Script pyxl.py simulates a vulnerable application and takes Excel file as > first argument. File blank_passwd.xlsx contains XXE payload which should read > and store the contents of /etc/passwd. -- Yaroslav O. Halchenko Center for Open Neuroscience http://centerforopenneuroscience.org Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755 Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419 WWW: http://www.linkedin.com/in/yarik
signature.asc
Description: PGP signature
