----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, October 30, 2002 2:39 PM Subject: DO NOT REPLY [Bug 14105] New: - axis is vulnerable to XXE > Details: > External entity references allow embedding data outside the main file into > an XML document. In the DTD, one declares the external reference with the > following syntax: > <!ENTITY name SYSTEM "URI"> > > XML processor behavior as specified is > [http://www.w3.org/TR/REC-xml#include-if-valid]:
ha. I've discussed this in terms of xlink and xsd import attacks in http://www.iseran.com/Steve/papers/when_web_services_go_bad.html and more broadly http://www.iseran.com/Steve/papers/wstw/ Web Services that Work. Guess I should have explored axis more. > Successful exploitation may yield: > * DoS on the parsing system by making it open, e.g. > file:///dev/random | file:///dev/urandom | file://c:/con/con > * TCP scans using HTTP external entities (including behind firewalls > since application servers often have world view different > from that of the attacker) > * Unauthorized access to data stored as XML files on the parsing > system file system (of course the attacker still needs a way to > get these data back) actually if you can do entitity expansion you can get any text file into the text body of a message, that being easier to echo. > Java: > Apache XML-RPC server is NOT vulnerable in the default configuration > due to its use of MinML parser which doesn't support external entities. > Yet should be vulnerable if used with a full blown parser like Xerces > or Crimson. To make it invulnerable in all configurations it needs to > explicitly setup an EntityResolver that aborts having found external > entities. We have fun here as we are dependent upon bundled parsers, How do we turn off entity resolution in SAX? > Acknowledgments: > Even though the issue was discovered and researched independently I > cannot claim to be the first one to realize the risks associated with > XML external entities. E.g. RFC 2518 discusses the issue in section > 17.7 Implications of XML External Entities. yes, I've been aware of it for a while, I just never did the experiments. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (OpenBSD) > Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard <http://www.gnupg.org/> > > iEYEARECAAYFAj2/FZkACgkQCxVCvY31obB6vQCbBlV+v0jDRQQ7GcNxYRtajtAf > FxUAnRCDfjLy2692iGF3Ewmxzo/VXYmz > =t4QF > -----END PGP SIGNATURE----- > ============================================================================ >
