Hi Fabrice, Thanks for the hint; definitely interesting to track down. Did you already manage to trigger this behavior in BaseX (with the REST interface, or anything else)?
Best, Christian On Wed, Mar 14, 2018 at 4:28 PM, Fabrice ETANCHAUD <[email protected]> wrote: > Hello, > > > > I found this MarkLogic post interesting, > > So I forward it to the BaseX users. > > I do not remember loading data I did not trust, but did somebody experience > this kind of issue ? > > > > Best regards, > > Fabrice Etanchaud > > > > De : [email protected] > [mailto:[email protected]] De la part de Marcel de > Kleine > Envoyé : mercredi 14 mars 2018 13:43 > À : [email protected] > Objet : [MarkLogic Dev General] Marklogic XXE and XML Bomb prevention > > > > Hello, > > > > We have noticed Marklogic is vulnerable to xxe (entity expansion) and xml > bomb attacks. When loading an malicious document using xdmp:document-insert > it won’t catch these and cause either loading of unwanted external documents > (xxe) and lockup of the system (xml bomb). > > > > For example, if I load this document : > > <?xml version="1.0" encoding="ISO-8859-1"?> > > <!DOCTYPE foo [ > > <!ELEMENT foo ANY > > > <!ENTITY xxe SYSTEM "file:///c:/text.xml" >]> > > <foo>&xxe;</foo> > > > > The file test.xml gets nicely added to the xml document. > > > > See OWASP and others for examples. > > > > This is clearly a xml processing issue so the question is : can we disable > this? And if so, on what levels would this be possible. Best should be > system-wide. > > ( And if you cannot disable this, I think this is something ML should > address immediately. > > > > Thank you in advance, > > Marcel de Kleine, EPAM > > > > Marcel de Kleine > > Senior Software Engineer > > > > Office: +31 20 241 6134 x 30530 Cell: +31 6 14806016 Email: > [email protected] > > Delft, Netherlands epam.com > > > > CONFIDENTIALITY CAUTION AND DISCLAIMER > This message is intended only for the use of the individual(s) or > entity(ies) to which it is addressed and contains information that is > legally privileged and confidential. If you are not the intended recipient, > or the person responsible for delivering the message to the intended > recipient, you are hereby notified that any dissemination, distribution or > copying of this communication is strictly prohibited. All unintended > recipients are obliged to delete this message and destroy any printed > copies. > >
