New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XXE in Game Parser #3442
Comments
|
@DanVanAtta @ssoloff @ron-murhammer This issue should be fairly easy to fix. |
|
Yeah, agreed. It's not very severe at all. More a 'good to fix' issue.
…On Wed, 30 May 2018, 9:47 AM RoiEX ***@***.***> wrote:
@DanVanAtta <https://github.com/DanVanAtta> @ssoloff
<https://github.com/ssoloff> @ron-murhammer
<https://github.com/ron-murhammer> This issue should be fairly easy to
fix.
This is not a severe issue because we don't just arbitrarily load xmls
into the game and download them via HTTPS.
The only potential security risk comes from players themselves that get
tricked into installing malicious maps.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#3442 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AQNZ07K9UeGCAdfNeF9T-StDBvTvfM88ks5t3d4qgaJpZM4URj0D>
.
|
|
@prodigysml Thanks for reporting this issue btw. |
|
Unfortunately we don't have a P2 label ^^ |
|
Number of comments from me:
|
|
Downgrading priority label given this statement:
|
|
https://security-tracker.debian.org/tracker/CVE-2018-1000546 Having a CVE specific to your application is bad. Having one unaddressed for over six months is very bad optics. Even if it does require the user to be tricked into installing a malicious map (really, that's not terribly difficult). |
|
Turns out this really is a non-issue. Only by manually setting this flag to Anyways. I opened #4516 to have this feature set without having to rely on the implementation. |
|
Ok. Apparently setting the flag explicitly does change the behaviour slightly. Not sure what to do about this currently. I guess having protection from HTTP request is sufficient for now? |
Sounds like this may be platform- or JVM-specific because I'm assuming the OP ran a test to verify the external entity was opened. @prodigysml, do you happen to remember on which platform(s) and JVM implementation(s) you observed this exploit? |
|
My only comment would be that some process should be in place to notify the Debian package manager that the CVE has been corrected, and see if we can get the package updated, or the change back ported to the released package in their repo (not sure how that works). |

The Issue
An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.
Where the Issue Occured
triplea/game-core/src/main/java/games/strategy/engine/data/GameParser.java
Line 319 in 43ad70c
The above code parses a game file.
A sample game file can be found at:
https://github.com/triplea-game/triplea/blob/master/game-core/src/test/resources/GameExample.xml
To exploit this issue, import the following XML code:
The text was updated successfully, but these errors were encountered: