-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please document the XEE attacks when using DOMHandle so that custoemrs avoid this vulnerability #1103
Comments
My point with this support issue was that I think its more safe to not allow external entities by default so customers do not get affected by xee attacks so easily. I can understand if you do not want to introduce a possible breaking change for customers currently relying on the functionality though. It should of course be properly documented in the DOMHandle API then :) |
Given that we're introducing other backward incompatibilities, it seems okay to introduce this one. I applied the OWASP recommendations to the SAX, StAX, and other defaulted parsers as well. Of course, the parsers provided by the handles are only defaults. The application is free to configure their own parsers in all cases. Shouldn't cause any regressions. |
Ran the snippet on
|
So we can address your issue, please include the following:
Version of MarkLogic Java Client API
4.2.0
Version of MarkLogic Server
9.0-9.1
The java api is vulnerable to very easy to exploit XEE attacks. In particular the usage of a DOMHandle is vulnerable.
See the following code snippet for a working exploit.
This codesnippets save the content of /etc/passwd to "test.xml" in marklogic and prints its content.
As soon as a DOMHandle is used the injection of system resources (of the host the application is running on) is possible.
See DOMHandle's makeDocumentBuilderFactory method which creates a insecure DocumentBuilderFactory instance.
Please document this scenario so that customers don't run into this issue.
The issue was originally reported by Michale Wagner from SiteFusion.de via MarkLogic support.
The text was updated successfully, but these errors were encountered: