You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Mar 31, 2021. It is now read-only.
SAXParserFactory instance in convert() is missing flags to prevent external entity and doctype declaration, making it vulnerable to XXE attacks. At minimum set the flags used in ExportServlet.java example. Setting "http://apache.org/xml/features/nonvalidating/load-external-dtd" to false would additionally prevent loading of external DTD.
Below are steps to reproduce. It'll need external DTD to actually extract anything but from the stack trace is sufficient to show the class is vulnerable to XXE
Set up and run the Java example
POST to ServerView with the following payload
xml=]>%26xxe%3b%26xxe;
SAXParserFactory instance in convert() is missing flags to prevent external entity and doctype declaration, making it vulnerable to XXE attacks. At minimum set the flags used in ExportServlet.java example. Setting "http://apache.org/xml/features/nonvalidating/load-external-dtd" to false would additionally prevent loading of external DTD.
Below are steps to reproduce. It'll need external DTD to actually extract anything but from the stack trace is sufficient to show the class is vulnerable to XXE
xml=]>%26xxe%3b%26xxe;
The text was updated successfully, but these errors were encountered: