On Fri, Aug 17, 2018 at 12:50 PM Ronak Sharda <ronak.sha...@aricent.com> wrote:
>
> Hi Team,
>
>
>
> Greetings for the day !
>
>
>
> We are working on an application where an XML External Entity Injection
> Vulnerability issue has come across.
>
>
>
> SOAP Interaction between Client and Server when Entity Doctype tag is
> introduced:-
>
> Currently Axis 1.0 jar is being is used in the application.
>
>
>
> headers = {'content-type': 'text/xml', 'SOAPAction':'' }
>
> body = """<!DOCTYPE getAccountDataTemplate [ <!ENTITY file SYSTEM "%s"> ]>
>
> <soapenv:Envelope
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xmlns:xsd="http://www.w3.org/2001/XMLSchema";
> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";
> xmlns:enc="XXXXXXXXXXXXXXXXXXXXXXXX">
>
> <soapenv:Header/>
>
> <soapenv:Body>
>
> <enc:getAccountDataTemplate
> soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/";>
>
> <templateId xsi:type="xsd:string">&file;</templateId>
>
> </enc:getAccountDataTemplate>
>
> </soapenv:Body>
>
> </soapenv:Envelope>""" % fpath
>
>
>
> with requests.Session() as session:
>
> download_req = session.post( xurl + “XXXXXXXXXXXXXXXXXXXXXXXX", data =
> body , headers=headers, verify=False, allow_redirects=True)
>
> print download_req.text
>
>
>
> XXXXXXXXXXXXXXXXXXXXXXXX :- Service URL
>
>
>
> Actual Output:- Execution of this script results in printing
> of the contents of the drive of the system.
>
> Expected Output:- Drive content should not be shown, inline
> DTD parsing should be disabled.
>
>
>
> To overcome the above problem, Axis 1.0 jar is replaced with upgraded version
> i.e. Axis 1.4.
>
>
>
> Actual Output:- Execution of the script in point 1 results in the below
> Exception:
>
>
>
> <?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope
> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";
> xmlns:xsd="http://www.w3.org/2001/XMLSchema";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";><soapenv:Body><soapenv:Fault><faultcode>soapenv:Server.userException</faultcode><faultstring>org.xml.sax.SAXException:
> Processing instructions are not allowed within SOAP
> messages</faultstring><detail><ns1:hostname
> xmlns:ns1="http://xml.apache.org/axis/";>WIN-6A0L1CSU3OS</ns1:hostname></detail></soapenv:Fault></soapenv:Body></soapenv:Envelope>
>
>
>
> Along with the above output, application breaks since there
> are multiple SOAP calls that interact within the application (client and
> server).
Can you explain this a bit more?
>
>
>
> Expected Output:- Inline DTD Parsing should be disabled, and the application
> should not break.
>
>
>
>
>
> Any help in this context is highly appreciated. Looking
> forward to the response.
>
>
>
> NOTE:- We won’t be able to upgrade the jar to Axis2, since it
> is a Legacy application and it will be a gigantic change to work with.
>
>
>
> Kindly let us know if any other information related to the above task/issue
> is needed of us.
>
>
>
> Regards,
>
> Ronak Sharda
>
>
>
>
>
> =====================================================
> Please refer to http://www.aricent.com/email-disclaimer
> for important disclosures regarding this electronic communication.
> =====================================================
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org
