Bug#931117: liblemonldap-ng-portal-perl: XXE vulnerability in SOAP notification server
Xavier Guimard
yadd at debian.org
Wed Jun 26 13:03:41 BST 2019
Package: liblemonldap-ng-portal-perl
Version: 1.9.7-3
Severity: normal
Tags: security upstream
Notification server (not enabled by default) allows authorized
administrators to push XML files to notify a message to a user. Due to
#838097, XML::LibXML expands external entities by default. Then an
administrator can push a XML that allows him to read any file in server
filesystem accessible by www-data.
See https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1818 for
more.
This issue exists in versions [>= 2.0.0, < 2.0.5] but isn't exploitable
since:
- notification system does not use SOAP/XML by default
- old-compatibility mode is broken is these versions
More information about the pkg-perl-maintainers
mailing list