[
https://issues.apache.org/jira/browse/AXIS2-5877?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Donald Kwakkel updated AXIS2-5877:
----------------------------------
Description:
XML parser configured in ConvertUtils.java:225 does not prevent nor limit
external entities resolution. This can expose the parser to an XML External
Entities attack.
Proposed fix: Enable where TransformerFactory is used always the secure
processing feature:
{code:java}
public static TransformerFactory createTransformerFactory() {
TransformerFactory factory = TransformerFactory.newInstance();
try {
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
}
catch (TransformerConfigurationException e) {
throw new IllegalStateException(e);
}
return factory;
}
{code}
Also in XSLTTemplateProcessor.java:147 (XSLT Injection) and other locations
where this and DocumentBuilderFactory is handled wrong. See attached
screenshots.
was:
XML parser configured in ConvertUtils.java:225 does not prevent nor limit
external entities resolution. This can expose the parser to an XML External
Entities attack.
Proposed fix: Enable where TransformerFactory is used always the secure
processing feature:
{code:java}
public static TransformerFactory createTransformerFactory() {
TransformerFactory factory = TransformerFactory.newInstance();
try {
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
}
catch (TransformerConfigurationException e) {
throw new IllegalStateException(e);
}
return factory;
}
{code}
Also found other locations where this and DocumentBuilderFactory is handled
wrong. See attached screenshots.
> XML External Entity Injections
> ------------------------------
>
> Key: AXIS2-5877
> URL: https://issues.apache.org/jira/browse/AXIS2-5877
> Project: Axis2
> Issue Type: Bug
> Components: jaxws
> Affects Versions: 1.7.6
> Reporter: Donald Kwakkel
> Priority: Critical
> Labels: security
> Attachments: xxe1.png, xxe2.png
>
>
> XML parser configured in ConvertUtils.java:225 does not prevent nor limit
> external entities resolution. This can expose the parser to an XML External
> Entities attack.
> Proposed fix: Enable where TransformerFactory is used always the secure
> processing feature:
> {code:java}
> public static TransformerFactory createTransformerFactory() {
> TransformerFactory factory = TransformerFactory.newInstance();
> try {
>
> factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
> }
> catch (TransformerConfigurationException e) {
> throw new IllegalStateException(e);
> }
> return factory;
> }
> {code}
> Also in XSLTTemplateProcessor.java:147 (XSLT Injection) and other locations
> where this and DocumentBuilderFactory is handled wrong. See attached
> screenshots.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
