Hello Cedric, Are external entities blocked also in XSLT?
Greetings, Greg pt., 11 wrz 2020 o 11:39 Cédric Damioli <cdami...@apache.org> napisał(a): > [CVE-2020-11991] Apache Cocoon security vulnerability > > Severity: Important > > Vendor: The Apache Software Foundation > > Versions Affected: Apache Cocoon up to 2.1.12 > > Description: When using the StreamGenerator, the code parse a > user-provided XML. > > A specially crafted XML, including external system entities, could be used > to access any file on the server system. > > Mitigation: > > The StreamGenerator now ignores external entities. 2.1.x users should > upgrade to 2.1.13 > > Example: > > With the following input : > > <!--?xml version="1.0" ?--> <!DOCTYPE replace [<!ENTITY ent SYSTEM > "file:///etc/shadow"> ]> <userInfo> <firstName>John</firstName> > <lastName>&ent;</lastName> </userInfo> an attacker got the content of > /etc/shadow > > Credit: This issue was discovered by Nassim Asrir. > > Regards, > > -- > Cédric Damioli > >
