[jira] [Commented] (AXIS2-5877) XML External Entity Injections
[
https://issues.apache.org/jira/browse/AXIS2-5877?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16160313#comment-16160313
]
Andreas Veithen commented on AXIS2-5877:
{{XSLTTemplateProcessor}} is not security sensitive because it's only used
during code generation. Can you provide a test case or exploit that shows how
the code in {{ConvertUtils}} would be used to carry out an attack
([CVE-2010-1632|https://svn.apache.org/repos/asf/axis/axis2/java/core/security/CVE-2010-1632.pdf]
provides an example)?
> XML External Entity Injections
> --
>
> Key: AXIS2-5877
> URL: https://issues.apache.org/jira/browse/AXIS2-5877
> Project: Axis2
> Issue Type: Bug
> Components: jaxws
>Affects Versions: 1.7.6
>Reporter: Donald Kwakkel
>Priority: Critical
> Labels: security
> Attachments: xxe1.png, xxe2.png
>
>
> XML parser configured in ConvertUtils.java:225 does not prevent nor limit
> external entities resolution. This can expose the parser to an XML External
> Entities attack.
> Proposed fix: Enable where TransformerFactory is used always the secure
> processing feature:
> {code:java}
> public static TransformerFactory createTransformerFactory() {
> TransformerFactory factory = TransformerFactory.newInstance();
> try {
>
> factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
> }
> catch (TransformerConfigurationException e) {
> throw new IllegalStateException(e);
> }
> return factory;
> }
> {code}
> Also in XSLTTemplateProcessor.java:147 (XSLT Injection) and other locations
> where this and DocumentBuilderFactory is handled wrong. See attached
> screenshots.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
-
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org
[jira] [Commented] (AXIS2-5877) XML External Entity Injections
[
https://issues.apache.org/jira/browse/AXIS2-5877?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16159617#comment-16159617
]
Hudson commented on AXIS2-5877:
---
SUCCESS: Integrated in Jenkins build Axis2 #3825 (See
[https://builds.apache.org/job/Axis2/3825/])
AXIS2-5877: Move XSLTTemplateProcessor to axis2-codegen because it is not used
at runtime. (veithen: rev 1807840)
* (add)
axis2/modules/codegen/src/org/apache/axis2/util/XSLTTemplateProcessor.java
* (delete)
axis2/modules/kernel/src/org/apache/axis2/util/XSLTTemplateProcessor.java
> XML External Entity Injections
> --
>
> Key: AXIS2-5877
> URL: https://issues.apache.org/jira/browse/AXIS2-5877
> Project: Axis2
> Issue Type: Bug
> Components: jaxws
>Affects Versions: 1.7.6
>Reporter: Donald Kwakkel
>Priority: Critical
> Labels: security
> Attachments: xxe1.png, xxe2.png
>
>
> XML parser configured in ConvertUtils.java:225 does not prevent nor limit
> external entities resolution. This can expose the parser to an XML External
> Entities attack.
> Proposed fix: Enable where TransformerFactory is used always the secure
> processing feature:
> {code:java}
> public static TransformerFactory createTransformerFactory() {
> TransformerFactory factory = TransformerFactory.newInstance();
> try {
>
> factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
> }
> catch (TransformerConfigurationException e) {
> throw new IllegalStateException(e);
> }
> return factory;
> }
> {code}
> Also in XSLTTemplateProcessor.java:147 (XSLT Injection) and other locations
> where this and DocumentBuilderFactory is handled wrong. See attached
> screenshots.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
-
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org
