[Python-Dev] XML DoS vulnerabilities and exploits in Python
Christian Heimes
christian at python.org
Thu Feb 21 11:18:35 CET 2013
Am 21.02.2013 08:42, schrieb Antoine Pitrou:
> Sure, but in many instances, rebooting a machine is not
> business-threatening. You will have a couple of minutes' downtime and
> that's all. Which is why the attack must be repeated many times to be a
> major annoyance.
Is this business-threatening enough?
https://pypi.python.org/pypi/defusedxml#external-entity-expansion-remote
* An attacker can circumvent firewalls and gain access to restricted
resources as all the requests are made from an internal and trustworthy
IP address, not from the outside.
* An attacker can abuse a service to attack, spy on or DoS your servers
but also third party services. The attack is disguised with the IP
address of the server and the attacker is able to utilize the high
bandwidth of a big machine.
* An attacker can exhaust additional resources on the machine, e.g. with
requests to a service that doesn't respond or responds with very large
files.
* An attacker may gain knowledge, when, how often and from which IP
address a XML document is accessed.
* An attacker could send mail from inside your network if the URL
handler supports smtp:// URIs.
More information about the Python-Dev
mailing list