I noticed that by default, the parser in XMLBuilder is vulnerable to XXE.
The following PoC is a modified version of the TestXMLBuilder2.java file that would see the local file included in parser output.
…, re #6
XML Builder classes now explicitly enable or disable
'external-general-entities' and 'external-parameter-entities' features
of the DocumentBuilderFactory when #create or #parse methods are used.
To prevent XML External Entity (XXE) injection attacks, these features
are disabled by default. They can only be enabled by passing a true
boolean value to new versions of the #create and #parse methods that
accept a flag for this feature.
@xiaoyongwu Thanks for the report. This XXE vulnerability is now fixed by disabling external entity processing by default; external entities are now only processed if this feature is explicitly enabled in a call to the #create or #parse methods.
I noticed that by default, the parser in XMLBuilder is vulnerable to XXE.
The following PoC is a modified version of the TestXMLBuilder2.java file that would see the local file included in parser output.
package com.jamesmurty.utils;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathExpressionException;
public class TestXMLBuilder2 extends BaseXMLBuilderTests {
}
The text was updated successfully, but these errors were encountered: