Build the DTD with a nesting depth of at least 551 and then send a large number of !ENTITY> nodes to build_model via XSS. The attacker can send a large number of entities with the following construct: !ENTITY data-xss="{{count}}"> The output of this XSS attack depends on the build environment.

If the build environment is Apache, and if the Apache httpd module mod_rewrite is enabled, the XSS becomes a DOS attack.

If the build environment is Nginx, the attack results in crashing Nginx. In all cases, the attacker can send a large number of entities and cause stack exhaustion.

Build the DTD with a nesting depth of at least 551 and then send a large number of nodes to build_model via XSS. The attacker can send a large number of nodes with the following construct:
Reduce the risk of this attack by limiting nesting depth, for example, limit the nesting depth to 100 or fewer. - For Apache with mod_rewrite:
Reduce the risk of this attack by not enabling mod_rewrite. - For Nginx: Reducing stack exhaustion in build_model — By limiting the nesting depth to 100 or fewer, or by disabling mod_rewrite.

Mitigation: Stack exhaustion protection in build_model

Timeline

Published on: 02/18/2022 05:15:00 UTC
Last modified on: 06/14/2022 11:15:00 UTC

References