https://issues.apache.org/bugzilla/show_bug.cgi?id=53603
--- Comment #5 from Nicolas GREGOIRE <[email protected]> --- I understand your position but I think that these risks should then be much more visible to casual users of the framework (i.e. documentation improvement). Nowadays, it's trivial to find some applications using Batik in a insecure way (allowing the disclosure of local files). Examples: - Apache FOP: vulnerable. Repro: FOP document including a malicious SVG image - HighCharts JS: vulnerable. Repro: submit a malicious SVG to the on-line export feature of this graph library MediaWiki seems impacted too: http://www.mediawiki.org/wiki/Manual:$wgSVGConverters Regarding XInclude: it is a feature of the XML parser and could be disabled there in security-conscious deployments Regarding ECMAScript: it can disabled using command-line options. The main differences with the XXE attack are that this one is scriptless and can't be inhibited using options -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
