New submission from longwenzhang <[email protected]>:
It's "Lib/DocXMLRPCServer.py" in python2x or "Lib/xmlrpc/server.py" in python3x.
Steps to reproduce:
1.Lib/DocXMLRPCServer.py is “a documenting XML-RPC Server“,In the Class
ServerHTMLDoc, method markup(), will escape the Special symbols to safe(such as
<," etc).
2.But it only escape the content from server.set_server_name() and
server.set_server_documentation(),the "title" content from the
server.set_server_title() will not be escaped, so if I
set_server_title('123</title><script>alert(1)</script>'), it will cause XSS
because not escaped.
3.I see the alert in Chrome by visiting http://127.0.0.1,the Poc is the
poc.py(run in python2.7) in attachments.
4.Problems seems to be at
https://github.com/python/cpython/blob/master/Lib/xmlrpc/server.py#L897 "return
documenter.page(self.server_title,documentation)".Before this line,variable
"documentation" has been escaped but self.server_title not.This is the main
cause.
----------
components: Library (Lib)
files: poc.py
messages: 352921
nosy: longwenzhang
priority: normal
severity: normal
status: open
title: A reflected XSS in python/Lib/DocXMLRPCServer.py
type: security
versions: Python 3.7
Added file: https://bugs.python.org/file48619/poc.py
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue38243>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
