[jboss-user] [JBoss Web Services] - Prevent injection from DOCTYPE declarations

Tue, 29 Mar 2011 01:51:32 -0700 

Per Forsh [http://community.jboss.org/people/pforsh] created the discussion

"Prevent injection from DOCTYPE declarations"

To view the discussion, visit: http://community.jboss.org/message/596146#596146

--------------------------------------------------------------
I have a JBossAS server in version 5.0.1, after security testing we now know 
that it is possible to use the following code to find/guess open ports.

POST /some/WebService HTTP/1.1
Content-type: text/xml;charset="utf-8"
Soapaction: ""
Accept: text/xml, multipart/related, text/html, image/gif, image/jpeg, *; q=.2, 
*/*; q=.2
User-Agent: JAX-WS RI 2.1.6 in JDK 6
Host: localhost:8443
Connection: close
Content-Length: 265


<?xml version="1.0" ?><!DOCTYPE arg0 [ <!ENTITY x SYSTEM 
"http://127.0.0.1:50000";> ] ><S:Envelope 
xmlns:S="http://schemas.xmlsoap.org/soap/envelope/";><S:Body><tns:enrollStatus 
xmlns:tns="http://www.xx.xx/";><arg0>&x;</arg0></tns:enrollStatus></S:Body></S:Envelope>

I have read the discussion:  http://community.jboss.org/message/536246#536246 
http://community.jboss.org/message/536246#536246 and from that upgraded jbossws 
to 3.4.0, but the server still accepts an URL to be injected. I also had 
problems with this kind of code:

POST /some/WebService HTTP/1.1
Content-type: text/xml;charset="utf-8"
Soapaction: ""
Accept: text/xml, multipart/related, text/html, image/gif, image/jpeg, *; q=.2, 
*/*; q=.2
User-Agent: JAX-WS RI 2.1.6 in JDK 6
Host: localhost:8443
Connection: close
Content-Length: 243


<?xml version="1.0" ?><!DOCTYPE arg0 [ <!ENTITY x "aaaa"> ] ><S:Envelope 
xmlns:S="http://schemas.xmlsoap.org/soap/envelope/";><S:Body><tns:enrollStatus 
xmlns:tns="http://www.xx.xx/";><arg0>&x;</arg0></tns:enrollStatus></S:Body></S:Envelope>

But this injection was not allowed after the upgrade to jbossws 3.4.0, where x 
now is just "blank". Before the upgrade x was injected as "aaaa"

Best Regards,
Per Forsh
--------------------------------------------------------------

Reply to this message by going to Community
[http://community.jboss.org/message/596146#596146]

Start a new discussion in JBoss Web Services at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2044]


_______________________________________________
jboss-user mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/jboss-user

Reply via email to