[jira] [Created] (OOZIE-2489) XML parsing is vulnerable

Tue, 22 Mar 2016 05:36:13 -0700 

Ferenc Denes created OOZIE-2489:
-----------------------------------

             Summary: XML parsing is vulnerable
                 Key: OOZIE-2489
                 URL: https://issues.apache.org/jira/browse/OOZIE-2489
             Project: Oozie
          Issue Type: Bug
    Affects Versions: 4.1.0
            Reporter: Ferenc Denes
            Assignee: Ferenc Denes
             Fix For: trunk


The XML parsing has some security problems:
XML External Entity attack:
XML External Entities attacks benefit from an XML feature to build documents 
dynamically at the time of processing. An XML entity allows inclusion of data 
dynamically from a given resource. External entities allow an XML document to 
include data from an external URI. Unless configured to do otherwise, external 
entities force the XML parser to access the resource specified by the URI, 
e.g., a file on the local machine or on a remote system. This behavior exposes 
the application to XML External Entity (XXE) attacks, which can be used to 
perform denial of service of the local system, gain unauthorized access to 
files on the local machine, scan remote machines, and perform denial of service 
of remote systems.

The following XML document shows an example of an XXE attack.

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>


This example could crash the server (on a UNIX system), if the XML parser 
attempts to substitute the entity with the contents of the /dev/random file.


XML Entity Expansion injection also known as XML Bombs are DoS attacks that 
benefit from valid and well-formed XML blocks that expand exponentially until 
they exhaust the server allocated resources. XML allows to define custom 
entities which act as string substitution macros. By nesting recurrent entity 
resolutions, an attacker can easily crash the server resources.

The following XML document shows an example of an XML Bomb.

<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>


Both problems can be solved by setting features and parameters of the XML 
parser factories.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to