Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Found an XML bomb in /home/cpeasyapache directory...

Discussion in 'EasyApache' started by gkgcpanel, Nov 15, 2010.

  1. gkgcpanel

    gkgcpanel Well-Known Member

    Joined:
    Jun 6, 2007
    Messages:
    214
    Likes Received:
    0
    Trophy Points:
    166
    cPanel Access Level:
    DataCenter Provider
    During one of our security scans, the following was returned:

    /home/cpeasyapache/src/libxml2-2.7.6/test/recurse/good.xml XML bomb
    /home/cpeasyapache/src/libxml2-2.7.6/test/recurse/goodattr.xml XML bomb

    So, I took a look in that directory:

    drwxr-xr-x 2 root root 4096 Sep 24 2009 ./
    drwxr-xr-x 29 root root 4096 Sep 24 2009 ../
    -rw-r--r-- 1 root root 23803 Sep 24 2009 goodattr.xml
    -rw-r--r-- 1 root root 23765 Sep 24 2009 good.xml
    -rw-r--r-- 1 root root 1707 Sep 24 2009 lol1.xml
    -rw-r--r-- 1 root root 1723 Sep 24 2009 lol2.xml
    -rw-r--r-- 1 root root 1659 Sep 24 2009 lol3.dtd
    -rw-r--r-- 1 root root 86 Sep 24 2009 lol3.xml
    -rw-r--r-- 1 root root 485 Sep 24 2009 lol4.patch
    -rw-r--r-- 1 root root 41408 Sep 24 2009 lol4.xml
    -rw-r--r-- 1 root root 1585 Sep 24 2009 lol5.xml
    -rw-r--r-- 1 root root 53243 Sep 24 2009 lol6.xml


    What the hell are all the lol?.xml files... ? Looking at them, they all contain:

    <?xml version="1.0"?>
    <!DOCTYPE billion [
    <!ELEMENT billion (#PCDATA)>
    <!ENTITY laugh0 "ha">
    <!ENTITY laugh1 "&laugh0;&laugh0;">
    <!ENTITY laugh2 "&laugh1;&laugh1;">
    <!ENTITY laugh3 "&laugh2;&laugh2;">
    <!ENTITY laugh4 "&laugh3;&laugh3;">
    <!ENTITY laugh5 "&laugh4;&laugh4;">
    <!ENTITY laugh6 "&laugh5;&laugh5;">
    <!ENTITY laugh7 "&laugh6;&laugh6;">
    <!ENTITY laugh8 "&laugh7;&laugh7;">
    <!ENTITY laugh9 "&laugh8;&laugh8;">
    <!ENTITY laugh10 "&laugh9;&laugh9;">
    <!ENTITY laugh11
    "&laugh10;&laugh10;&laugh10;&laugh10;&laugh10;&laugh10;&laugh10;&laugh10;&laugh10;&laugh10;&laugh10;&laugh10;&laugh10;&laugh10;&la
    ugh10;&laugh10;&laugh10;&laugh10;&laugh10;&laugh10;&laugh10;&laugh10;&laugh10;&laugh10;&laugh10;&laugh10;&laugh10;&laugh10;&laugh1
    0;&laugh10;&laugh10;&laugh10;&laugh10;&laugh10;&laugh10;&laugh10;&laugh10;&laugh10;&laugh10;&laugh10;&laugh10;&laugh10;">
    <!ENTITY laugh12
    "&laugh11;&laugh11;&laugh11;&laugh11;&laugh11;&laugh11;&laugh11;&laugh11;&laugh11;&laugh11;&laugh11;&laugh11;&laugh11;&laugh11;&la
    ugh11;&laugh11;&laugh11;&laugh11;&laugh11;&laugh11;&laugh11;&laugh11;&laugh11;&laugh11;&laugh11;&laugh11;&laugh11;&laugh11;&laugh1
    1;&laugh11;&laugh11;&laugh11;&laugh11;&laugh11;&laugh11;&laugh11;&laugh11;&laugh11;&laugh11;&laugh11;&laugh11;&laugh11;">
    <!ENTITY laugh13
    "&laugh12;&laugh12;&laugh12;&laugh12;&laugh12;&laugh12;&laugh12;&laugh12;&laugh12;&laugh12;&laugh12;&laugh12;&laugh12;&laugh12;&la
    ugh12;&laugh12;&laugh12;&laugh12;&laugh12;&laugh12;&laugh12;&laugh12;&laugh12;&laugh12;&laugh12;&laugh12;&laugh12;&laugh12;&laugh1
    2;&laugh12;&laugh12;&laugh12;&laugh12;&laugh12;&laugh12;&laugh12;&laugh12;&laugh12;&laugh12;&laugh12;&laugh12;&laugh12;">
    ]>
    <billion>&laugh13;</billion>


    The 2 other files: good.xml and goodattr.xml contain:

    <!DOCTYPE foo [
    <!ENTITY f "some internal data">
    <!ENTITY e "&f;&f;">
    <!ENTITY d "&e;&e;">
    ]>
    <foo>&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;
    &d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;
    &d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;
    &d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;
    &d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;
    &d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;
    &d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;
    &d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;
    &d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;
    &d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;
    &d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;
    &d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;
    &d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;
    &d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;
    &d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;

    ....

    &d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;</foo>


    Since this is in the /home/cpeasyapache directory, I had assumed it has something to do with EasyApache, but now I'm not so sure...

    Anyone else ever see this? cPanel???

    Thanks,
    Peter
     
  2. RCraft

    RCraft Well-Known Member

    Joined:
    Nov 7, 2010
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    56
    Well, that's interesting. Can you provide more details about your server setup as far as security, software versions, etc?
     
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,160
    Likes Received:
    370
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,561
    Likes Received:
    42
    Trophy Points:
    308
    cPanel Access Level:
    Root Administrator
    These are test files distributed by LibXML. You can verify by:

    1. Downloading libxml-2.7.6 from ftp://xmlsoft.org/libxml2/libxml2-2.7.6.tar.gz
    2. Unpacking the archive
    3. Checking the contents of the files in libxml-2.7.6/test/recurse

    It appears your security scan is returning a false positive.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice