Hi, Was Pivotal informed about these advisories and was there any collaboration from them? The current stable is 3.2.4
Thanks, A. On Saturday, November 02, 2013 07:04:59 AM MustLive wrote: > Hello! > > I'll give you additional information concerning advisory XML External > Entity (XXE) Injection in Spring Framework > (http://securityvulns.ru/docs29758.html). > > ------------------------- > Affected products: > ------------------------- > > - 3.0.0 to 3.2.3 (Spring OXM & Spring MVC) > - 4.0.0.M1 (Spring OXM) > - 4.0.0.M1-4.0.0.M2 (Spring MVC) > - Earlier unsupported versions may also be affected > > ------------------------- > Affected vendors: > ------------------------- > > Spring by Pivotal. > > ---------- > Details: > ---------- > > The Spring OXM wrapper doesn't disable external entity resolution when > using the JAXB unmarshaller (SAXSource and StreamSource instances are > vulnerable). Also Spring MVC processes user provided XML with JAXB in > combination with a StAX XMLInputFactory without disabling external entity > resolution. > > Besides standard vectors of attacks with XXE Injection vulnerabilities > (such as local file inclusion), which are usually mentioned in advisories, > XXE Injection also allows to conduct attacks on other sites. And with > using DAVOSET (DDoS attacks via other sites execution tool) it's possible > to automate such attacks. > > I wrote about such attacks in my 2012's article "Using XML External > Entities (XXE) for attacks on other sites" > (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2012- > August/008481.html) and 2013's "Using XXE vulnerabilities for attacks on > other sites" > (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013- > August/008887.html). As I described in my articles, XXE vulnerabilities can > be used for conducting CSRF and DoS attacks on other sites (and at using > multiple web sites it's possible to conduct DDoS attacks). And my tool > DAVOSET can be used for conducting such attacks via XXE vulnerabilities. > > In October I released video demonstration of DAVOSET: > http://www.youtube.com/watch?v=RKi35-f346I > > So all vulnerable web applications with affected versions of Spring > Framework can be used for attacks on other sites via XXE Injection. > > Best wishes & regards, > MustLive > Administrator of Websecurity web site > http://websecurity.com.ua > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
