The xml.etree.ElementTree module that mofh used up until version 1.0.1 implements a simple and efficient API for parsing and creating XML data. But it makes the application vulnerable to:
- Billion Laughs attack: It is a type of denial-of-service attack aimed at XML parsers. It uses multiple levels of nested entities. If one large entity is repeated with a couple of thousand chars repeatedly, the parser gets overwhelmed.
- Quadratic blowup attack: It is similar to a Billion Laughs attack. It abuses entity expansion, too. Instead of nested entities, it repeats one large entity with a couple of thousand chars repeatedly.
The Problem has been patched starting from version 1.0.1 by utilising the defusedxml package instead of xml.etree.ElementTree.
Workarounds
For this vulnerability to be exploited the user must be using a custom API URL, which has to be manually given using the api_url argument, or MyOwnFreeHost's API must be hacked. So, if the user did not use a custom API URL they should be fine, however, upgrading is still advised.
Another workaround could be to call defusedxml.defuse_stdlib() before making any requests using the client.
References
The
xml.etree.ElementTreemodule that mofh used up until version1.0.1implements a simple and efficient API for parsing and creating XML data. But it makes the application vulnerable to:The Problem has been patched starting from version
1.0.1by utilising thedefusedxmlpackage instead ofxml.etree.ElementTree.Workarounds
For this vulnerability to be exploited the user must be using a custom API URL, which has to be manually given using the
api_urlargument, or MyOwnFreeHost's API must be hacked. So, if the user did not use a custom API URL they should be fine, however, upgrading is still advised.Another workaround could be to call
defusedxml.defuse_stdlib()before making any requests using the client.References