[jira] [Commented] (BATIK-1189) XML External Entity Injection

[simon steiner (JIRA)]

    [ 
https://issues.apache.org/jira/browse/BATIK-1189?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16022507#comment-16022507
 ] 

simon steiner commented on BATIK-1189:
--------------------------------------

Similar to BATIK-1139

> XML External Entity Injection
> -----------------------------
>
>                 Key: BATIK-1189
>                 URL: https://issues.apache.org/jira/browse/BATIK-1189
>             Project: Batik
>          Issue Type: Bug
>    Affects Versions: 1.9
>            Reporter: Donald Kwakkel
>            Priority: Critical
>
> XML parser/transformers does not prevent nor limit external entities 
> resolution. This can expose the parser to an XML External Entities attack.
> Following places:
> # ImageIODebugUtil.dumpNode (TransformerFactory)
> # NodePickerPanel.parseXml (DocumentBuilderFactory)
> # SAXSVGDocumentFactory.resolveEntity (line 374 returns null, which fallbacks 
> to default resolver)
> #XMLInputHandler.handle (both Transormer and Document Factory)
> For DocumentBuilderFactory you probably need to set:
> {code}
>                               
> factory.setFeature("http://xml.org/sax/features/external-general-entities";, 
> false);
>                               
> factory.setFeature("http://xml.org/sax/features/external-parameter-entities";, 
> false);
> {code}
> For TransformFactory:
> {code}
> factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
> {code}
> Explanation:
> XML External Entities attacks benefit from an XML feature to build documents 
> dynamically at the time of processing. An XML entity allows inclusion of data 
> dynamically from a given resource. External entities allow an XML document to 
> include data from an external URI. Unless configured to do otherwise, 
> external entities force the XML parser to access the resource specified by 
> the URI, e.g., a file on the local machine or on a remote system. This 
> behavior exposes the application to XML External Entity (XXE) attacks, which 
> can be used to perform denial of service of the local system, gain 
> unauthorized access to files on the local machine, scan remote machines, and 
> perform denial of service of remote systems.
> The following XML document shows an example of an XXE attack.
> {code}
> <?xml version="1.0" encoding="ISO-8859-1"?>
>  <!DOCTYPE foo [
>   <!ELEMENT foo ANY >
>   <!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>
> {code}
> This example could crash the server (on a UNIX system), if the XML parser 
> attempts to substitute the entity with the contents of the /dev/random file.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: batik-dev-unsubscr...@xmlgraphics.apache.org
For additional commands, e-mail: batik-dev-h...@xmlgraphics.apache.org