xmlgraphics-batik-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 53603] "XML External Entities" vulnerability
Date Mon, 30 Jul 2012 09:39:12 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=53603

--- Comment #5 from Nicolas GREGOIRE <nicolas.gregoire@agarri.fr> ---
I understand your position but I think that these risks should then be much
more visible to casual users of the framework (i.e. documentation improvement).

Nowadays, it's trivial to find some applications using Batik in a insecure way
(allowing the disclosure of local files). Examples:
- Apache FOP: vulnerable. Repro: FOP document including a malicious SVG image
- HighCharts JS: vulnerable. Repro: submit a malicious SVG to the on-line
export feature of this graph library

MediaWiki seems impacted too:
http://www.mediawiki.org/wiki/Manual:$wgSVGConverters

Regarding XInclude: it is a feature of the XML parser and could be disabled
there in security-conscious deployments
Regarding ECMAScript: it can disabled using command-line options. The main
differences with the XXE attack are that this one is scriptless and can't be
inhibited using options

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: batik-dev-unsubscribe@xmlgraphics.apache.org
For additional commands, e-mail: batik-dev-help@xmlgraphics.apache.org


Mime
View raw message