[jira] [Commented] (BATIK-1018) "XML External Entities" vulnerability

Sat, 07 Mar 2015 00:07:01 -0800 

    [ 
https://issues.apache.org/jira/browse/BATIK-1018?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14351475#comment-14351475
 ] 

Tony BenBrahim commented on BATIK-1018:
---------------------------------------

It will take more than documentation improvements, as some classes do not 
expose any way to configure the parser or parser factory between creation and 
use, and require subclassing, access to the source, etc..., we are now well 
past the point of the casual user. See BATIK-1113 for details.

More to the point, the ideal fail-safe solution would be to disable XEE by 
default, and provide methods to turn the features back on, for the handful of 
users who need this feature. If BATIK is run on a server environment, you most 
certainly do not want this feature, unless you also fully control external 
entity resolution and loading. I suspect the majority of users do not know what 
XML external  entities are, do not need them and are not aware of the security 
implications, so the fail-safe approach seems like the best approach,

> "XML External Entities" vulnerability
> -------------------------------------
>
>                 Key: BATIK-1018
>                 URL: https://issues.apache.org/jira/browse/BATIK-1018
>             Project: Batik
>          Issue Type: Bug
>          Components: Web Site
>    Affects Versions: 1.8
>         Environment: Operating System: All
> Platform: All
>            Reporter: Nicolas GREGOIRE
>            Assignee: Batik Developer's Mailing list
>         Attachments: xxe.png, xxe.svg
>
>
> During visualization with Squiggle or rasterization via the CLI tool, XML 
> external entities defined in the DTD are dereferenced and the content of the 
> target file is included in the output.
> The impact of this vulnerability range form denial of service to file 
> disclosure. Under Windows, it can also be used to steal LM/NTLM hashes.
> For some additional information about XXE attacks, please refer to 
> http://cwe.mitre.org/data/definitions/827.html
> How to reproduce: 
> $> rasterizer xxe.svg -d xxe.png



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: batik-dev-unsubscr...@xmlgraphics.apache.org
For additional commands, e-mail: batik-dev-h...@xmlgraphics.apache.org

Reply via email to