Do we have XML Injection thread on AXIS 1.X Soap Servers?

[Venkatesh Jayaraman \(jvenky\)]

Security Issue Posed by Nested Entity Definitions While XML does not allow recursive entity definitions, it does permit nested entity definitions, which produces the potential for Denial of Service attacks on a server which accepts XML data from external sources. For example, a SOAP document like the following that has very deeply nested entity definitions can consume 100% of CPU time and large amounts of memory in entity expansions: <?xml version="1.0" encoding ="UTF-8"?>  <!DOCTYPE foobar[  <!ENTITY x100 "foobar">  <!ENTITY  x99 "&x100;&x100;">  <!ENTITY  x98 "&x99;&x99;">  ...  <!ENTITY   x2 "&x3;&x3;">  <!ENTITY   x1 "&x2;&x2;">  ]> <SOAP-ENV:Envelope xmlns:SOAP-ENV=...> <SOAP-ENV:Body> <ns1:aaa xmlns:ns1="urn:aaa" SOAP-ENV:encodingStyle="..."> <foobar xsi:type="xsd:string">&x1;</foobar> </ns1:aaa> </SOAP-ENV:Body> </SOAP-ENV:Envelope> A system that doesn't take in external XML data need not be concerned with the issue, but one that does can utilize one of the following safeguards to prevent the problem: New system property to limit entity expansion The entityExpansionLimit system property lets existing applications constrain the total number of entity expansions without recompiling the code. The parser throws a fatal error once it has reached the entity expansion limit. (By default, the limit is set to 64000.) To set the entity expansion limit using the system property, use an option like the following on the java command line: -DentityExpansionLimit=100000   New parser property to disallow DTDs The application can also set the http://apache.org/xml/features/disallow-doctype-decl parser property to true. A fatal error is then thrown if the incoming XML document contains a DOCTYPE declaration. (The default value for this property is false.) This property is typically useful for SOAP based applications where a SOAP message must not contain a Document Type Declaration. New feature for Secure Processing JAXP 1.3 includes a new secure processing feature in which an application can configure the SAXParserFactory or DocumentBuilderFactory to get an XML processor that behaves in a secured fashion.  Setting this feature to true sets the entity expansion limit to 64000.  Note that the default limit can be increased using the entityExpansionLimit system property.         http://java.sun.com/j2se/1.5.0/docs/guide/xml/jaxp/JAXP-Compatibility_150.html     Thanks   -Venky (Venkatesh Jayaraman)