[jira] [Commented] (AXIS2-5877) XML External Entity Injections
[ https://issues.apache.org/jira/browse/AXIS2-5877?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16160313#comment-16160313 ] Andreas Veithen commented on AXIS2-5877: {{XSLTTemplateProcessor}} is not security sensitive because it's only used during code generation. Can you provide a test case or exploit that shows how the code in {{ConvertUtils}} would be used to carry out an attack ([CVE-2010-1632|https://svn.apache.org/repos/asf/axis/axis2/java/core/security/CVE-2010-1632.pdf] provides an example)? > XML External Entity Injections > -- > > Key: AXIS2-5877 > URL: https://issues.apache.org/jira/browse/AXIS2-5877 > Project: Axis2 > Issue Type: Bug > Components: jaxws >Affects Versions: 1.7.6 >Reporter: Donald Kwakkel >Priority: Critical > Labels: security > Attachments: xxe1.png, xxe2.png > > > XML parser configured in ConvertUtils.java:225 does not prevent nor limit > external entities resolution. This can expose the parser to an XML External > Entities attack. > Proposed fix: Enable where TransformerFactory is used always the secure > processing feature: > {code:java} > public static TransformerFactory createTransformerFactory() { > TransformerFactory factory = TransformerFactory.newInstance(); > try { > > factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); > } > catch (TransformerConfigurationException e) { > throw new IllegalStateException(e); > } > return factory; > } > {code} > Also in XSLTTemplateProcessor.java:147 (XSLT Injection) and other locations > where this and DocumentBuilderFactory is handled wrong. See attached > screenshots. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org For additional commands, e-mail: java-dev-h...@axis.apache.org
[jira] [Commented] (AXIS2-5877) XML External Entity Injections
[ https://issues.apache.org/jira/browse/AXIS2-5877?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16159617#comment-16159617 ] Hudson commented on AXIS2-5877: --- SUCCESS: Integrated in Jenkins build Axis2 #3825 (See [https://builds.apache.org/job/Axis2/3825/]) AXIS2-5877: Move XSLTTemplateProcessor to axis2-codegen because it is not used at runtime. (veithen: rev 1807840) * (add) axis2/modules/codegen/src/org/apache/axis2/util/XSLTTemplateProcessor.java * (delete) axis2/modules/kernel/src/org/apache/axis2/util/XSLTTemplateProcessor.java > XML External Entity Injections > -- > > Key: AXIS2-5877 > URL: https://issues.apache.org/jira/browse/AXIS2-5877 > Project: Axis2 > Issue Type: Bug > Components: jaxws >Affects Versions: 1.7.6 >Reporter: Donald Kwakkel >Priority: Critical > Labels: security > Attachments: xxe1.png, xxe2.png > > > XML parser configured in ConvertUtils.java:225 does not prevent nor limit > external entities resolution. This can expose the parser to an XML External > Entities attack. > Proposed fix: Enable where TransformerFactory is used always the secure > processing feature: > {code:java} > public static TransformerFactory createTransformerFactory() { > TransformerFactory factory = TransformerFactory.newInstance(); > try { > > factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); > } > catch (TransformerConfigurationException e) { > throw new IllegalStateException(e); > } > return factory; > } > {code} > Also in XSLTTemplateProcessor.java:147 (XSLT Injection) and other locations > where this and DocumentBuilderFactory is handled wrong. See attached > screenshots. -- This message was sent by Atlassian JIRA (v6.4.14#64029) - To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org For additional commands, e-mail: java-dev-h...@axis.apache.org