flex-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Kerr <ak...@fluid.com>
Subject Re: CVE-2015-3269 Apache Flex BlazeDS Insecure Xml Entity Expansion Vulnerability
Date Wed, 19 Aug 2015 12:07:53 GMT
Does anyone know if this affects the older Adobe BlazeDS 4.6.0?

Thanks,
Andrew


On Wed, Aug 19, 2015 at 7:48 AM, Christofer Dutz <cdutz@apache.org> wrote:

> CVE-2015-3269 Apache Flex BlazeDS Insecure Xml Entity Expansion
> Vulnerability
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected: Apache Flex BlazeDS 4.7.0
>
> Description: When receiving XML encoded AMF messages containing DTD
> entities, the
> default XML parser configurations allows expanding of entities to local
> resources.
> A request that included a specially crafted request parameter could be
> used to
> access content that would otherwise be protected.
>
>
> Mitigation: All users of Apache Flex BlazeDS prior to 4.7.1
>
> Example: For an AMF message that contains the following xml payload:
> <?xml version="1.0" encoding="ISO-8859-1"?>
>  <!DOCTYPE foo [
>    <!ELEMENT foo ANY >
>    <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
> the entity &xxe; would be expanded to the content of the file /etc/passwd.
> However this expanded information is not automatically transferred back to
> the client, but could be made available by the application.
>
> Credit: This issue was discovered by ´╗┐Matthias Kaiser of Code White
>
> References:
> https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
>
> Christofer Dutz
>



-- 
Andrew Kerr

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message