Roberto Cortez [http://community.jboss.org/people/radcortez] created the discussion
"Disable DTD declaration" To view the discussion, visit: http://community.jboss.org/message/536246#536246 -------------------------------------------------------------- Hi, How can i disable the doctype declarations, to prevent xxe injection? At the moment, I'm using JBoss 4.2.3 with JBossWS 3.1.1. and i can do stuff like this: <!DOCTYPE root [ <!ENTITY xxe SYSTEM "/windows/system32/drivers/etc/hosts"> ]> And inject the xxe entity in my soap parameters. How can i prevent this from happening? I found this page http://java.sun.com/j2se/1.5.0/docs/guide/xml/jaxp/JAXP-Compatibility_150.html#JAXP_security http://java.sun.com/j2se/1.5.0/docs/guide/xml/jaxp/JAXP-Compatibility_150.html#JAXP_security, which speaks about disabling the dtd declarations. Is this the way to go? Or is there some other way? Best Regards Roberto Cortez -------------------------------------------------------------- Reply to this message by going to Community [http://community.jboss.org/message/536246#536246] Start a new discussion in JBoss Web Services at Community [http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2044]
_______________________________________________ jboss-user mailing list [email protected] https://lists.jboss.org/mailman/listinfo/jboss-user
