xmlgraphics-batik-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 53603] New: "XML External Entities" vulnerability
Date Wed, 25 Jul 2012 16:32:36 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=53603

          Priority: P2
            Bug ID: 53603
          Assignee: batik-dev@xmlgraphics.apache.org
           Summary: "XML External Entities" vulnerability
          Severity: major
    Classification: Unclassified
                OS: All
          Reporter: nicolas.gregoire@agarri.fr
          Hardware: All
            Status: NEW
           Version: 1.8
         Component: SVG DOM
           Product: Batik

Created attachment 29114
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=29114&action=edit
Malicious SVG file

During visualization with Squiggle or rasterization via the CLI tool, XML
external entities defined in the DTD are dereferenced and the content of the
target file is included in the output.

The impact of this vulnerability range form denial of service to file
disclosure. Under Windows, it can also be used to steal LM/NTLM hashes.

For some additional information about XXE attacks, please refer to
http://cwe.mitre.org/data/definitions/827.html

How to reproduce: 
$> rasterizer xxe.svg -d xxe.png

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: batik-dev-unsubscribe@xmlgraphics.apache.org
For additional commands, e-mail: batik-dev-help@xmlgraphics.apache.org


Mime
View raw message