Message352921
It's "Lib/DocXMLRPCServer.py" in python2x or "Lib/xmlrpc/server.py" in python3x.
Steps to reproduce:
1.Lib/DocXMLRPCServer.py is “a documenting XML-RPC Server“,In the Class ServerHTMLDoc, method markup(), will escape the Special symbols to safe(such as <," etc).
2.But it only escape the content from server.set_server_name() and server.set_server_documentation(),the "title" content from the server.set_server_title() will not be escaped, so if I set_server_title('123</title><script>alert(1)</script>'), it will cause XSS because not escaped.
3.I see the alert in Chrome by visiting http://127.0.0.1,the Poc is the poc.py(run in python2.7) in attachments.
4.Problems seems to be at
https://github.com/python/cpython/blob/master/Lib/xmlrpc/server.py#L897 "return documenter.page(self.server_title,documentation)".Before this line,variable "documentation" has been escaped but self.server_title not.This is the main cause. |
|
Date |
User |
Action |
Args |
2019-09-21 02:17:30 | longwenzhang | set | recipients:
+ longwenzhang |
2019-09-21 02:17:30 | longwenzhang | set | messageid: <1569032250.18.0.545337961077.issue38243@roundup.psfhosted.org> |
2019-09-21 02:17:30 | longwenzhang | link | issue38243 messages |
2019-09-21 02:17:29 | longwenzhang | create | |
|