0dd - The Zero (0) Day Division

The Zero (0) Day Division is a group of security professionals working towards a common goal; securing open-source projects.

OpenPSA XML Denial of Service

· Sajeeb Lohani · CVE-2018-1000526

The Issue

The OpenPSA project used xml_parse_into_struct in an overly permissive manner, via file upload. This can cause a denial of service scenario for certain PHP versions.

Where the Issue Occurred

The code below (found in /lib/net/nemein/rss/handler/admin.php on line 93 - 94) creates an XML parser and attempts to parse the file provided by the user:

$opml_parser = xml_parser_create();
xml_parse_into_struct($opml_parser, $opml_data, $opml_values);

A denial of service scenario can be created for vulnerable PHP versions, using a specially crafted XML file.

Disclosure Timeline

  • Issue Reported: 29th May 2018
  • Issue Resolved: 30th May 2018
  • Blog Post Published: 1st June 2018
  • Applied for CVE: 24th June 2018