Return-Path: 
 <dev-return-8737-apmail-chemistry-dev-archive=chemistry.apache.org@chemistry.apache.org>
X-Original-To: apmail-chemistry-dev-archive@www.apache.org
Delivered-To: apmail-chemistry-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 3D48218BE2
	for <apmail-chemistry-dev-archive@www.apache.org>;
 Mon, 24 Aug 2015 10:58:46 +0000 (UTC)
Received: (qmail 64434 invoked by uid 500); 24 Aug 2015 10:58:46 -0000
Delivered-To: apmail-chemistry-dev-archive@chemistry.apache.org
Received: (qmail 64380 invoked by uid 500); 24 Aug 2015 10:58:46 -0000
Mailing-List: contact dev-help@chemistry.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@chemistry.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@chemistry.apache.org>
List-Post: <mailto:dev@chemistry.apache.org>
List-Id: <dev.chemistry.apache.org>
Reply-To: dev@chemistry.apache.org
Delivered-To: mailing list dev@chemistry.apache.org
Received: (qmail 64369 invoked by uid 99); 24 Aug 2015 10:58:46 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 24 Aug 2015 10:58:46 +0000
Date: Mon, 24 Aug 2015 10:58:45 +0000 (UTC)
From: =?utf-8?Q?Florian_M=C3=BCller_=28JIRA=29?= <jira@apache.org>
To: dev@chemistry.apache.org
Message-ID: <JIRA.12858264.1440413185000.144857.1440413925957@Atlassian.JIRA>
In-Reply-To: <JIRA.12858264.1440413185000@Atlassian.JIRA>
References: <JIRA.12858264.1440413185000@Atlassian.JIRA>
 <JIRA.12858264.1440413185766@arcas>
Subject: [jira] [Resolved] (CMIS-944) XML External Entity Injection possible
 in WebSphereAuthHandler
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


     [ https://issues.apache.org/jira/browse/CMIS-944?page=3Dcom.atlassian.=
jira.plugin.system.issuetabpanels:all-tabpanel ]

Florian M=C3=BCller resolved CMIS-944.
---------------------------------
    Resolution: Won't Fix

This class doesn't exist anymore in the next release.

> XML External Entity Injection possible in WebSphereAuthHandler
> --------------------------------------------------------------
>
>                 Key: CMIS-944
>                 URL: https://issues.apache.org/jira/browse/CMIS-944
>             Project: Chemistry
>          Issue Type: Bug
>          Components: opencmis-client
>    Affects Versions: OpenCMIS 0.13.0
>            Reporter: Donald Kwakkel
>
> XML parser configured in WebSphereAuthHandler.java:72 does not prevent no=
r limit external entities resolution. This can expose the parser to an XML =
External Entities attack.
> Explanation:
> XML External Entities attacks benefit from an XML feature to build docume=
nts dynamically at the time of processing. An XML entity allows inclusion o=
f data dynamically from a given resource. External entities allow an XML do=
cument to include data from an external URI. Unless configured to do otherw=
ise, external entities force the XML parser to access the resource specifie=
d by the URI, e.g., a file on the local machine or on a remote system. This=
 behavior exposes the application to XML External Entity (XXE) attacks, whi=
ch can be used to perform denial of service of the local system, gain unaut=
horized access to files on the local machine, scan remote machines, and per=
form denial of service of remote systems.
> The following XML document shows an example of an XXE attack.
> <?xml version=3D"1.0" encoding=3D"ISO-8859-1"?>
>  <!DOCTYPE foo [
>   <!ELEMENT foo ANY >
>   <!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>
> This example could crash the server (on a UNIX system), if the XML parser=
 attempts to substitute the entity with the contents of the /dev/random fil=
e.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)