SAXParserFactory instance in convert() is missing flags to prevent external entity and doctype declaration, making it vulnerable to XXE attacks. At minimum set the flags used in ExportServlet.java example. Setting "http://apache.org/xml/features/nonvalidating/load-external-dtd" to false would additionally prevent loading of external DTD.
Below are steps to reproduce. It'll need external DTD to actually extract anything but from the stack trace is sufficient to show the class is vulnerable to XXE
Set up and run the Java example
POST to ServerView with the following payload
xml=]>%26xxe%3b%26xxe;
SAXParserFactory instance in convert() is missing flags to prevent external entity and doctype declaration, making it vulnerable to XXE attacks. At minimum set the flags used in ExportServlet.java example. Setting "http://apache.org/xml/features/nonvalidating/load-external-dtd" to false would additionally prevent loading of external DTD.
Below are steps to reproduce. It'll need external DTD to actually extract anything but from the stack trace is sufficient to show the class is vulnerable to XXE
xml=]>%26xxe%3b%26xxe;
The text was updated successfully, but these errors were encountered: