chemistry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Donald Kwakkel (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CMIS-944) XML External Entity Injection possible in WebSphereAuthHandler
Date Mon, 24 Aug 2015 10:46:46 GMT
Donald Kwakkel created CMIS-944:
-----------------------------------

             Summary: XML External Entity Injection possible in WebSphereAuthHandler
                 Key: CMIS-944
                 URL: https://issues.apache.org/jira/browse/CMIS-944
             Project: Chemistry
          Issue Type: Bug
          Components: opencmis-client
    Affects Versions: OpenCMIS 0.13.0
            Reporter: Donald Kwakkel



XML parser configured in WebSphereAuthHandler.java:72 does not prevent nor limit external
entities resolution. This can expose the parser to an XML External Entities attack.


Explanation:

XML External Entities attacks benefit from an XML feature to build documents dynamically at
the time of processing. An XML entity allows inclusion of data dynamically from a given resource.
External entities allow an XML document to include data from an external URI. Unless configured
to do otherwise, external entities force the XML parser to access the resource specified by
the URI, e.g., a file on the local machine or on a remote system. This behavior exposes the
application to XML External Entity (XXE) attacks, which can be used to perform denial of service
of the local system, gain unauthorized access to files on the local machine, scan remote machines,
and perform denial of service of remote systems.

The following XML document shows an example of an XXE attack.

<?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>


This example could crash the server (on a UNIX system), if the XML parser attempts to substitute
the entity with the contents of the /dev/random file.





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message