xmlgraphics-batik-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lars Krapf (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (BATIK-1139) SSRF through external DTD resolution
Date Mon, 07 Dec 2015 17:45:11 GMT

     [ https://issues.apache.org/jira/browse/BATIK-1139?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Lars Krapf updated BATIK-1139:
------------------------------
    Description: 
The fix for XXE (BATIK-1018) seems to be incomplete. 
External DTD resolution should also be disabled in order to avoid attacks like SSRF or port-scanning
behind the firewall. 

See attached file (ssrf.svg) for an example. 

{code}
chaotic@m0lly:~$ nc -l 2323
GET / HTTP/1.1
User-Agent: Java/1.7.0_60-ea
Host: localhost:2323
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
{code}

To fix it you could disable the external DTD resolution altogether, using the document factory
configuration, i.e. 

{code}
dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
{code}

See also https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing for more information
on XXE.




  was:
The fix for XXE (BATIK-1018) seems to be incomplete. 
External DTD resolution should also be disabled in order to avoid attacks like SSRF or port-scanning
behind the firewall. 

See attached file (ssrf.svg) for an example. 

{code}
chaotic@m0lly:~$ nc -l 2323
GET / HTTP/1.1
User-Agent: Java/1.7.0_60-ea
Host: localhost:2323
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
{code}

To fix it you could disable the external DTD resolution altogether, using the document factory
configuration, i.e. 

{code}
dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
{code}

See also [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing|OWASP] for
more information on XXE.





> SSRF through external DTD resolution
> ------------------------------------
>
>                 Key: BATIK-1139
>                 URL: https://issues.apache.org/jira/browse/BATIK-1139
>             Project: Batik
>          Issue Type: Bug
>          Components: SVG Rasterizer
>    Affects Versions: 1.8
>            Reporter: Lars Krapf
>         Attachments: ssrf.svg
>
>
> The fix for XXE (BATIK-1018) seems to be incomplete. 
> External DTD resolution should also be disabled in order to avoid attacks like SSRF
or port-scanning behind the firewall. 
> See attached file (ssrf.svg) for an example. 
> {code}
> chaotic@m0lly:~$ nc -l 2323
> GET / HTTP/1.1
> User-Agent: Java/1.7.0_60-ea
> Host: localhost:2323
> Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
> Connection: keep-alive
> {code}
> To fix it you could disable the external DTD resolution altogether, using the document
factory configuration, i.e. 
> {code}
> dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
> {code}
> See also https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing for more
information on XXE.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: batik-dev-unsubscribe@xmlgraphics.apache.org
For additional commands, e-mail: batik-dev-help@xmlgraphics.apache.org


Mime
View raw message