xmlgraphics-batik-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lars Krapf (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (BATIK-1018) "XML External Entities" vulnerability
Date Wed, 02 Dec 2015 22:38:11 GMT

    [ https://issues.apache.org/jira/browse/BATIK-1018?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15036792#comment-15036792

Lars Krapf commented on BATIK-1018:


The fix for this issue seems to be incomplete. You should also disable external DTD resolution
to avoid SSRF:
{code}dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);{code}

See attached ssrf.svg for an example. 

> "XML External Entities" vulnerability
> -------------------------------------
>                 Key: BATIK-1018
>                 URL: https://issues.apache.org/jira/browse/BATIK-1018
>             Project: Batik
>          Issue Type: Bug
>          Components: Web Site
>    Affects Versions: 1.8
>         Environment: Operating System: All
> Platform: All
>            Reporter: Nicolas GREGOIRE
>            Assignee: Batik Developer's Mailing list
>             Fix For: trunk
>         Attachments: xxe.png, xxe.svg
> During visualization with Squiggle or rasterization via the CLI tool, XML external entities
defined in the DTD are dereferenced and the content of the target file is included in the
> The impact of this vulnerability range form denial of service to file disclosure. Under
Windows, it can also be used to steal LM/NTLM hashes.
> For some additional information about XXE attacks, please refer to http://cwe.mitre.org/data/definitions/827.html
> How to reproduce: 
> $> rasterizer xxe.svg -d xxe.png

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: batik-dev-unsubscribe@xmlgraphics.apache.org
For additional commands, e-mail: batik-dev-help@xmlgraphics.apache.org

View raw message