[
https://issues.apache.org/jira/browse/AXIS2-5877?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16160313#comment-16160313
]
Andreas Veithen commented on AXIS2-5877:
----------------------------------------
{{XSLTTemplateProcessor}} is not security sensitive because it's only used
during code generation. Can you provide a test case or exploit that shows how
the code in {{ConvertUtils}} would be used to carry out an attack
([CVE-2010-1632|https://svn.apache.org/repos/asf/axis/axis2/java/core/security/CVE-2010-1632.pdf]
provides an example)?
> XML External Entity Injections
> ------------------------------
>
> Key: AXIS2-5877
> URL: https://issues.apache.org/jira/browse/AXIS2-5877
> Project: Axis2
> Issue Type: Bug
> Components: jaxws
> Affects Versions: 1.7.6
> Reporter: Donald Kwakkel
> Priority: Critical
> Labels: security
> Attachments: xxe1.png, xxe2.png
>
>
> XML parser configured in ConvertUtils.java:225 does not prevent nor limit
> external entities resolution. This can expose the parser to an XML External
> Entities attack.
> Proposed fix: Enable where TransformerFactory is used always the secure
> processing feature:
> {code:java}
> public static TransformerFactory createTransformerFactory() {
> TransformerFactory factory = TransformerFactory.newInstance();
> try {
>
> factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
> }
> catch (TransformerConfigurationException e) {
> throw new IllegalStateException(e);
> }
> return factory;
> }
> {code}
> Also in XSLTTemplateProcessor.java:147 (XSLT Injection) and other locations
> where this and DocumentBuilderFactory is handled wrong. See attached
> screenshots.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
