chemistry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Florian Müller (JIRA) <>
Subject [jira] [Resolved] (CMIS-944) XML External Entity Injection possible in WebSphereAuthHandler
Date Mon, 24 Aug 2015 10:58:45 GMT


Florian Müller resolved CMIS-944.
    Resolution: Won't Fix

This class doesn't exist anymore in the next release.

> XML External Entity Injection possible in WebSphereAuthHandler
> --------------------------------------------------------------
>                 Key: CMIS-944
>                 URL:
>             Project: Chemistry
>          Issue Type: Bug
>          Components: opencmis-client
>    Affects Versions: OpenCMIS 0.13.0
>            Reporter: Donald Kwakkel
> XML parser configured in does not prevent nor limit external
entities resolution. This can expose the parser to an XML External Entities attack.
> Explanation:
> XML External Entities attacks benefit from an XML feature to build documents dynamically
at the time of processing. An XML entity allows inclusion of data dynamically from a given
resource. External entities allow an XML document to include data from an external URI. Unless
configured to do otherwise, external entities force the XML parser to access the resource
specified by the URI, e.g., a file on the local machine or on a remote system. This behavior
exposes the application to XML External Entity (XXE) attacks, which can be used to perform
denial of service of the local system, gain unauthorized access to files on the local machine,
scan remote machines, and perform denial of service of remote systems.
> The following XML document shows an example of an XXE attack.
> <?xml version="1.0" encoding="ISO-8859-1"?>
>  <!DOCTYPE foo [
>   <!ELEMENT foo ANY >
>   <!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>
> This example could crash the server (on a UNIX system), if the XML parser attempts to
substitute the entity with the contents of the /dev/random file.

This message was sent by Atlassian JIRA

View raw message