Does anyone know if this affects the older Adobe BlazeDS 4.6.0? Thanks, Andrew
On Wed, Aug 19, 2015 at 7:48 AM, Christofer Dutz <[email protected]> wrote: > CVE-2015-3269 Apache Flex BlazeDS Insecure Xml Entity Expansion > Vulnerability > > Severity: Important > > Vendor: The Apache Software Foundation > > Versions Affected: Apache Flex BlazeDS 4.7.0 > > Description: When receiving XML encoded AMF messages containing DTD > entities, the > default XML parser configurations allows expanding of entities to local > resources. > A request that included a specially crafted request parameter could be > used to > access content that would otherwise be protected. > > > Mitigation: All users of Apache Flex BlazeDS prior to 4.7.1 > > Example: For an AMF message that contains the following xml payload: > <?xml version="1.0" encoding="ISO-8859-1"?> > <!DOCTYPE foo [ > <!ELEMENT foo ANY > > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo> > the entity &xxe; would be expanded to the content of the file /etc/passwd. > However this expanded information is not automatically transferred back to > the client, but could be made available by the application. > > Credit: This issue was discovered by Matthias Kaiser of Code White > > References: > https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing > > Christofer Dutz > -- Andrew Kerr
