[jira] [Comment Edited] (BATIK-1139) SSRF through external DTD resolution

Wed, 26 Apr 2017 11:42:25 -0700 

    [ 
https://issues.apache.org/jira/browse/BATIK-1139?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15985316#comment-15985316
 ] 

Antoine Beaupre edited comment on BATIK-1139 at 4/26/17 6:41 PM:
-----------------------------------------------------------------

Hi. Is this vulnerability the same as 
https://nvd.nist.gov/vuln/detail/CVE-2017-5662?

Also: are the commits referred to in this  bug report sufficient to fix this 
issue on 1.8? I'm looking at backporting those to 1.7 as well, and so far am 
under the assumption the patches are enough and complete there as well.

Thanks!


was (Author: anarcat):
Hi. Is this vulnerability the same as 
https://nvd.nist.gov/vuln/detail/CVE-2017-5662?

Thanks

> SSRF through external DTD resolution
> ------------------------------------
>
>                 Key: BATIK-1139
>                 URL: https://issues.apache.org/jira/browse/BATIK-1139
>             Project: Batik
>          Issue Type: Bug
>          Components: SVG Rasterizer
>    Affects Versions: 1.8
>            Reporter: Lars Krapf
>            Assignee: Glenn Adams
>             Fix For: 1.9
>
>         Attachments: ssrf.svg
>
>
> The fix for XXE (BATIK-1018) seems to be incomplete. 
> External DTD resolution should also be disabled in order to avoid attacks 
> like SSRF or port-scanning behind the firewall. 
> See attached file (ssrf.svg) for an example. 
> {code}
> chaotic@m0lly:~$ nc -l 2323
> GET / HTTP/1.1
> User-Agent: Java/1.7.0_60-ea
> Host: localhost:2323
> Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
> Connection: keep-alive
> {code}
> To fix it you could disable the external DTD resolution altogether, using the 
> document factory configuration, i.e. 
> {code}
> dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";,
>  false);
> {code}
> See also https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing 
> for more information on XXE.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to