New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Project handling is susceptible to XXE #71
Comments
Good find! Thanks. Looks like a pretty straightforward configuration fix. |
You're welcome. Out of curiosity: are you sure there is a config fix for this? I.e. can external entity processing be disabled globally for JDOM/SAXBuilder? I was under the impression you have to turn it off for every SAXBuilder instance individually. If there is no global way, please make sure to fix this everywhere, because this issue is not restricted to projects; e.g. Tool import is also affected. |
Yeah. We're on the same page. When I said "configure" I didn't mean to imply there's some system property or whatever you set. I made factory methods to create properly configured SAXParsers and SAXBuilders, and refactored everything to use them. |
@nsadeveloper789 Can you link to the fixing commit please? |
…ponents See NationalSecurityAgency/ghidra#71 Signed-off-by: Andrii Kurdiumov <kant2002@gmail.com>
@attritionorg you could see it here: kant2002/Ghidra@19302d4 |
Unfortunately, no. Since our source repo is not yet published, there is no commit to link to. Additionally, the commit history up to the source release will not likely be present. |
@nsadeveloper789 thanks. @kant2002 linked to his fix which gives the additional info I am after. appreciate it! |
Thx alot. |
See NationalSecurityAgency/ghidra#71 Signed-off-by: Andrii Kurdiumov <kant2002@gmail.com>
Describe the bug
Project open/restore is susceptible to XML External Entity Expansion attacks. This can be exploited in various ways by getting someone to open/restore a project prepared by attacker.
To Reproduce
Steps to reproduce the behavior:
The same concept works with archived projects (.gar files) too.
Expected behavior
The XML parser should ignore external entities. For bonus points, it should give an error/warning when they are present.
Screenshots
The following screenshot was made of a proof of concept that only issues an HTTP GET request to localhost.
Environment (please complete the following information):
The text was updated successfully, but these errors were encountered: