[
https://issues.apache.org/jira/browse/BATIK-1189?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16021020#comment-16021020
]
Donald Kwakkel commented on BATIK-1189:
---------------------------------------
No replication steps. I found these by code inspection.
> XML External Entity Injection
> -----------------------------
>
> Key: BATIK-1189
> URL: https://issues.apache.org/jira/browse/BATIK-1189
> Project: Batik
> Issue Type: Bug
> Affects Versions: 1.9
> Reporter: Donald Kwakkel
> Priority: Critical
>
> XML parser/transformers does not prevent nor limit external entities
> resolution. This can expose the parser to an XML External Entities attack.
> Following places:
> # ImageIODebugUtil.dumpNode (TransformerFactory)
> # NodePickerPanel.parseXml (DocumentBuilderFactory)
> # SAXSVGDocumentFactory.resolveEntity (line 374 returns null, which fallbacks
> to default resolver)
> #XMLInputHandler.handle (both Transormer and Document Factory)
> For DocumentBuilderFactory you probably need to set:
> {code}
>
> factory.setFeature("http://xml.org/sax/features/external-general-entities";,
> false);
>
> factory.setFeature("http://xml.org/sax/features/external-parameter-entities";,
> false);
> {code}
> For TransformFactory:
> {code}
> factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
> {code}
> Explanation:
> XML External Entities attacks benefit from an XML feature to build documents
> dynamically at the time of processing. An XML entity allows inclusion of data
> dynamically from a given resource. External entities allow an XML document to
> include data from an external URI. Unless configured to do otherwise,
> external entities force the XML parser to access the resource specified by
> the URI, e.g., a file on the local machine or on a remote system. This
> behavior exposes the application to XML External Entity (XXE) attacks, which
> can be used to perform denial of service of the local system, gain
> unauthorized access to files on the local machine, scan remote machines, and
> perform denial of service of remote systems.
> The following XML document shows an example of an XXE attack.
> {code}
> <?xml version="1.0" encoding="ISO-8859-1"?>
> <!DOCTYPE foo [
> <!ELEMENT foo ANY >
> <!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>
> {code}
> This example could crash the server (on a UNIX system), if the XML parser
> attempts to substitute the entity with the contents of the /dev/random file.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
