[
https://issues.apache.org/jira/browse/BATIK-1018?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15036792#comment-15036792
]
Lars Krapf commented on BATIK-1018:
-----------------------------------
Hello
The fix for this issue seems to be incomplete. You should also disable external
DTD resolution to avoid SSRF:
{code}dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";,
false);{code}
See attached ssrf.svg for an example.
> "XML External Entities" vulnerability
> -------------------------------------
>
> Key: BATIK-1018
> URL: https://issues.apache.org/jira/browse/BATIK-1018
> Project: Batik
> Issue Type: Bug
> Components: Web Site
> Affects Versions: 1.8
> Environment: Operating System: All
> Platform: All
> Reporter: Nicolas GREGOIRE
> Assignee: Batik Developer's Mailing list
> Fix For: trunk
>
> Attachments: xxe.png, xxe.svg
>
>
> During visualization with Squiggle or rasterization via the CLI tool, XML
> external entities defined in the DTD are dereferenced and the content of the
> target file is included in the output.
> The impact of this vulnerability range form denial of service to file
> disclosure. Under Windows, it can also be used to steal LM/NTLM hashes.
> For some additional information about XXE attacks, please refer to
> http://cwe.mitre.org/data/definitions/827.html
> How to reproduce:
> $> rasterizer xxe.svg -d xxe.png
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: batik-dev-unsubscr...@xmlgraphics.apache.org
For additional commands, e-mail: batik-dev-h...@xmlgraphics.apache.org
