Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A potential XXE vulnerability found on rhino #479

Closed
brianwrf opened this issue Sep 28, 2018 · 4 comments
Closed

A potential XXE vulnerability found on rhino #479

brianwrf opened this issue Sep 28, 2018 · 4 comments

Comments

@brianwrf
Copy link

@brianwrf brianwrf commented Sep 28, 2018

Howdy,

Just found a potential XXE vulnerability on rhino as show below, it seems function toXml didn't add any protection from XXE vulnerability when parsing XML document.

https://github.com/mozilla/rhino/blob/master/xmlimplsrc/org/mozilla/javascript/xmlimpl/XmlProcessor.java#L225

You may need to follow the OWASP guide below which provides concise information to prevent this vulnerability.
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#Java

Thanks,
Brian

@nightwatchcyber
Copy link

@nightwatchcyber nightwatchcyber commented Aug 22, 2019

@gbrail / @rbri - did someone from the Rhino project team have a chance to look at this issue?

Loading

@git4dipu
Copy link

@git4dipu git4dipu commented Aug 28, 2019

@brianwrf Can you help us understand the vulnerability with some attack vector?

The reason i am asking is:

  • I wrote a main method in XmlProcessor.java to verify toXml vulnerability and tried few xmls with below entity attack.
     <!DOCTYPE foo [<!ELEMENT foo ANY >
     <!ENTITY xxe SYSTEM "/" >]>
  • But it failed with "Scanner State 24 not Recognized". I believe Java Parser is not allowing DOCTYPE injection (i.e. state 24).

TypeError: Cannot parse XML: Scanner State 24 not Recognized (_2B0601040181900D819C200A819C200100#94)
Execution time: 446.0 ms
org.xml.sax.SAXException: Scanner State 24 not Recognized
at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(DOMParser.java:271)
at com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:347)
at org.mozilla.javascript.xmlimpl.XmlProcessor.toXml(XmlProcessor.java:274)
at org.mozilla.javascript.xmlimpl.XmlProcessor.main(XmlProcessor.java:401)

So not sure if this is truly vulnerable. Please correct me if i am wrong.

FYI - @nightwatchcyber @gbrail @rbri

Loading

@gbrail
Copy link
Member

@gbrail gbrail commented Aug 30, 2019

Loading

@tonygermano
Copy link
Contributor

@tonygermano tonygermano commented Jun 22, 2021

@gbrail I think this issue should have been closed with #600

Loading

@gbrail gbrail closed this Jun 23, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants