XXE vulnerability in SimpleXML #18
Comments
|
Any comment? |
|
Hi,
So this has nothing to do with SimpleXML, it has to do with the underlying library. You can choose to use XPP, StAX, or DOM. You can configure these however you like, or supply an implementation other than the defaults provided by the platform you run on.
Regards,Niall
From: John Saigle <notifications@github.com>
To: ngallagher/simplexml <simplexml@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Sent: Wednesday, 31 May 2017, 20:27
Subject: Re: [ngallagher/simplexml] XXE vulnerability in SimpleXML (#18)
@OneSourceCat is this still potentially exploitable? have you received any contact?This is relevant to a project I'm working on and anything you could tell me would be helpful.—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
This morning I received the CVE ID about this, otherwise I even forgot that I had submmited this issue. |
|
SimpleXML does not parse XML... it is XMPP, DOM, or StAX. You can control this. I will not address an issue that does not exist.
On Thursday, August 24, 2017, 4:23:22 AM GMT+1, RuiChong <notifications@github.com> wrote:
This morning I received the CVE ID about this, otherwise I even forgot that I had submmited this issue.
SimpleXML has to ban resolving the external entities by default. The developers don't have duty and abilities to handle such security problem. Ban resolving the exteral entities is a good way to prevent this vulnerability.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
@ngallagher @OneSourceCat can you explain how this can be controlled by the user? Are you saying that you can configure the XML parser (XMPP, DOM or StAX) externally from SimpleXML? If so, how? |
|
@ngallagher @OneSourceCat I too would like an explanation. I have not been able to put the magic words into google to return results that will show me how to do this. |
|
Would love to see some response on this. I understand it may not be an issue with SimpleXML but we need some guidance on how to mitigate. Is it one of the project dependencies that can be updated? Are we talking about creating a 'filter' in StAX? .or is the issue in the DocumentProvider.class |
|
You should migrate from |
|
@ngallagher I think it'd be convenient to make StreamProvider public and accepting a factory in its constructor. Then you can pass a preconfigured factory (disabling entity resolution) and use it for reading the InputNode which in turn can be passed to the Persister. These are minimal API changes and allow for xml factory configuration (used locally) to happen outside of simple-xml. These also don't require any global changes which are often impossible or inconvenient. |
|
I created a fork and implemented the changes I mentioned above since simple-xml makes so many people so nervous because of CVEs. https://github.com/dweiss/simplexml The "default" Provider configuration disables entity expansion in that fork. You can still create a version that works with everything the underlying XML parser is configured with. |
|
Thank you @dweiss !! |
|
Welcome! |
|
Is there any plan to build and provide a new version with the fix for CVE-2017-1000190? |
|
The solution developed by @dweiss looks correct to me: https://github.com/dweiss/simplexml Only one comment. Although the tests show that XXE and Billion laughs don't work anymore, to be on the safe side, it may also enable the https://docs.oracle.com/javase/7/docs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING @ngallagher Would it be possible to merge the patch and release a new version of Please let me know if you need help. |
|
@ngallagher Yes if possible, please try to merge the fix and provide a new version of sample-xml which fixes CVE-2017-1000190. |
|
FYI: you can address this issue by using the forked com.carrotsearch.thirdparty:simple-xml-safe:2.7.1 (https://github.com/carrotsearch/simplexml-safe) that has this fixed (that is what the MINIO folks did in their minio-java 7.1.0 release) |
* develop: (150 commits) Upgrade to Spring 5.3 Fix ngallagher/simplexml#18, CVE-2017-1000190 Update README.md Set new dev version. Set release 2.1.9 Set Jackson Databind to the fixd version. Fix UTC date stamps. Set new develop version Move OSS SonaType staging releases to new infra. Updates for release. Set version to 2.1.8 in latest BOM. Bump commons-compress from 1.20 to 1.21 in /dd4t-bom-tridion-9 Bump activemq-client from 5.15.7 to 5.15.9 in /dd4t-bom Bump junit from 4.11 to 4.13.1 in /dd4t-bom Bump spring-core from 4.3.20.RELEASE to 4.3.21.RELEASE in /dd4t-bom-web8 Bump jackson-databind from 2.10.5 to 2.10.5.1 in /dd4t-bom Set Release version 2.1.8 Small updates before release. Bump jackson-databind + Clean up POM + Small config defaults update + Updated README ... # Conflicts: # dd4t-api/pom.xml # dd4t-api/src/main/java/org/dd4t/contentmodel/Keyword.java # dd4t-bom-2013SP1/pom.xml # dd4t-bom-web8/pom.xml # dd4t-bom/pom.xml # dd4t-caching/pom.xml # dd4t-caching/src/main/java/org/dd4t/caching/providers/EHCacheProvider.java # dd4t-compatibility/pom.xml # dd4t-core/pom.xml # dd4t-core/src/main/java/org/dd4t/contentmodel/impl/KeywordImpl.java # dd4t-databind/pom.xml # dd4t-example-site/pom.xml # dd4t-mvc-support/pom.xml # dd4t-providers-common/pom.xml # dd4t-providers-odata/pom.xml # dd4t-providers/pom.xml # dd4t-test-spring-web/pom.xml # dd4t-thymeleaf-support/pom.xml # dd4t-thymeleaf-support/src/main/java/org/dd4t/thymeleaf/dialect/processor/xpm/XpmFieldProcessor.java # pom.xml
Does this fix available online? I couldn't find the fixed version in maven or any other repositories |
|
When will be a fix available for this? |
|
We see a vulnerability "CVE-2017-1000190" detected with simple xml 2.7.1 version. |
Hi, there.
Recently, I learned about SimpleXML and tried my luck to find some bugs. Here is what I found.
As you know, SimpleXML can serialize and deserialize XML document. So I tested for these functions and finally I found these can lead to an XXE vulnerability.
First, I tried to inject payloads into the attributes. However, SimpleXML cannot resolve external entity in attribute of the element.
It will raise an exception when resolve the XML document above because SimpleXML cannot resolve external entity in attributes.
However, external entity can be used at elements' text nodes:
When deserialize this document above, we can retrieve the content of win.ini in C disk. Also, we can use http, gopher, dict protocol in XXE attack.
More details in PoC.java(test version is 2.7.1).
Besides, Retrofit is also affected by this vulnerability because of the usage of SimpleXML inside.
PoC.txt
To fix it, you can limit the resolving of external entities in XML document.
Let me know if you have problem to reproduce this issue.
Thanks!
The text was updated successfully, but these errors were encountered: