Steve, See http://marc.theaimsgroup.com/?l=axis-dev&m=103601859604566&w=2 for my fixes and test cases.
Thanks, dims --- Steve Loughran <[EMAIL PROTECTED]> wrote: > > ----- Original Message ----- > From: <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, October 30, 2002 2:39 PM > Subject: DO NOT REPLY [Bug 14105] New: - axis is vulnerable to XXE > > Details: > > External entity references allow embedding data outside the main file > into > > an XML document. In the DTD, one declares the external reference with the > > following syntax: > > <!ENTITY name SYSTEM "URI"> > > > > XML processor behavior as specified is > > [http://www.w3.org/TR/REC-xml#include-if-valid]: > > > ha. > > I've discussed this in terms of xlink and xsd import attacks in > http://www.iseran.com/Steve/papers/when_web_services_go_bad.html > and more broadly http://www.iseran.com/Steve/papers/wstw/ Web Services that > Work. Guess I should have explored axis more. > > > > Successful exploitation may yield: > > * DoS on the parsing system by making it open, e.g. > > file:///dev/random | file:///dev/urandom | file://c:/con/con > > * TCP scans using HTTP external entities (including behind firewalls > > since application servers often have world view different > > from that of the attacker) > > * Unauthorized access to data stored as XML files on the parsing > > system file system (of course the attacker still needs a way to > > get these data back) > > actually if you can do entitity expansion you can get any text file into the > text body of a message, that being easier to echo. > > > Java: > > Apache XML-RPC server is NOT vulnerable in the default configuration > > due to its use of MinML parser which doesn't support external entities. > > Yet should be vulnerable if used with a full blown parser like Xerces > > or Crimson. To make it invulnerable in all configurations it needs to > > explicitly setup an EntityResolver that aborts having found external > > entities. > > We have fun here as we are dependent upon bundled parsers, How do we turn > off entity resolution in SAX? > > > Acknowledgments: > > Even though the issue was discovered and researched independently I > > cannot claim to be the first one to realize the risks associated with > > XML external entities. E.g. RFC 2518 discusses the issue in section > > 17.7 Implications of XML External Entities. > > yes, I've been aware of it for a while, I just never did the experiments. > > > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.0.6 (OpenBSD) > > Comment: Processed by Mailcrypt 3.5.6 and Gnu Privacy Guard > <http://www.gnupg.org/> > > > > iEYEARECAAYFAj2/FZkACgkQCxVCvY31obB6vQCbBlV+v0jDRQQ7GcNxYRtajtAf > > FxUAnRCDfjLy2692iGF3Ewmxzo/VXYmz > > =t4QF > > -----END PGP SIGNATURE----- > > > ============================================================================ > > > ===== Davanum Srinivas - http://xml.apache.org/~dims/ __________________________________________________ Do you Yahoo!? HotJobs - Search new jobs daily now http://hotjobs.yahoo.com/
