XXE vulnerability #25

Closed
guykoth opened this Issue Sep 7, 2015 · 12 comments

Comments

Projects
None yet
5 participants
@guykoth

guykoth commented Sep 7, 2015

DTD processing was enabled and therefore, XML deserialization process was vulnerable to XML External Entity Injection (I was able to expose local files).
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

Suggestion is to ignore client-side DOCTYPE declarations.

@joehni

This comment has been minimized.

Show comment
Hide comment
@joehni

joehni Sep 7, 2015

Member

XStream supports a big number of XML parsers. Its default is Xpp3 which does not support entities at all. So what parser did you use?

Member

joehni commented Sep 7, 2015

XStream supports a big number of XML parsers. Its default is Xpp3 which does not support entities at all. So what parser did you use?

@guykoth

This comment has been minimized.

Show comment
Hide comment
@guykoth

guykoth Sep 8, 2015

Payload:

%passwd;
]>

stack-trace

guykoth commented Sep 8, 2015

Payload:

%passwd;
]>

stack-trace

@joehni joehni self-assigned this Oct 5, 2015

@joehni joehni added this to the 1.4.x milestone Oct 5, 2015

@joehni joehni added the bug label Oct 5, 2015

@joehni

This comment has been minimized.

Show comment
Hide comment
@joehni

joehni Oct 5, 2015

Member

As far as possible I've turned off processing of external entities for all affected parsers.

Member

joehni commented Oct 5, 2015

As far as possible I've turned off processing of external entities for all affected parsers.

@joehni

This comment has been minimized.

Show comment
Hide comment
@joehni

joehni Oct 9, 2015

Member

Ported into 1.4.x branch.

Member

joehni commented Oct 9, 2015

Ported into 1.4.x branch.

@joehni joehni closed this Oct 9, 2015

@govindraghu

This comment has been minimized.

Show comment
Hide comment
@govindraghu

govindraghu Feb 18, 2016

I am using xstream-1.3.1 version. Is the "turn off on external entities" implemented in this version?

I am using xstream-1.3.1 version. Is the "turn off on external entities" implemented in this version?

@joehni

This comment has been minimized.

Show comment
Hide comment
@joehni

joehni Feb 18, 2016

Member

No. That version is 7 years old and the 1.3.x line is no longer maintained.

Member

joehni commented Feb 18, 2016

No. That version is 7 years old and the 1.3.x line is no longer maintained.

@govindraghu

This comment has been minimized.

Show comment
Hide comment
@govindraghu

govindraghu Feb 18, 2016

Thanks joehni for your quick response. I will plan on upgrading the to the latest version. In the mean time, I downloaded the latest source code of 1.4.8. Can you point me what class/method addresses the fix "disallow-doctype-decl" as pointed out in URL https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
dbf.setFeature(FEATURE, true);

Thanks joehni for your quick response. I will plan on upgrading the to the latest version. In the mean time, I downloaded the latest source code of 1.4.8. Can you point me what class/method addresses the fix "disallow-doctype-decl" as pointed out in URL https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
dbf.setFeature(FEATURE, true);

@joehni

This comment has been minimized.

Show comment
Hide comment
@joehni

joehni Feb 22, 2016

Member

Hi, it's unfortunately not yet released. It's a series of commits. Look into the history of the 1.4.x branch in October 2015.

Member

joehni commented Feb 22, 2016

Hi, it's unfortunately not yet released. It's a series of commits. Look into the history of the 1.4.x branch in October 2015.

@joehni joehni modified the milestones: 1.4.x, 1.4.9 Mar 16, 2016

@mceli

This comment has been minimized.

Show comment
Hide comment
@mceli

mceli Apr 4, 2016

Hello @joehni , Is xstream-1.4.3 vulnerable to this issue?

mceli commented Apr 4, 2016

Hello @joehni , Is xstream-1.4.3 vulnerable to this issue?

@joehni

This comment has been minimized.

Show comment
Hide comment
@joehni

joehni Apr 5, 2016

Member

Look at the milestone of this issue.

Member

joehni commented Apr 5, 2016

Look at the milestone of this issue.

@adioss

This comment has been minimized.

Show comment
Hide comment
@adioss

adioss Jun 28, 2016

Hello,

A little question/remark: the threat is reported here: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3674. You can notice that:

cpe:/a:x-stream:xstream:1.4.8 and previous versions

so the product vendor here is "x-stream". But now (I can see it here http://mvnrepository.com/artifact/xstream/xstream) the vendor for current version is "com.thoughtworks.xstream" so in my opinion, CVE is not correctly reported for the moment. For example, if you use tools like OWASP dependency check (or maybe blackduck), you won't be able to detect that the lib is sensitive to potential threat.

Do you think it's possible to contact NIST to update/add the new vendor to CPE (very sorry, I'm NOT (sorry) aware how to do that/if it's possible...)?

Adrien

adioss commented Jun 28, 2016

Hello,

A little question/remark: the threat is reported here: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3674. You can notice that:

cpe:/a:x-stream:xstream:1.4.8 and previous versions

so the product vendor here is "x-stream". But now (I can see it here http://mvnrepository.com/artifact/xstream/xstream) the vendor for current version is "com.thoughtworks.xstream" so in my opinion, CVE is not correctly reported for the moment. For example, if you use tools like OWASP dependency check (or maybe blackduck), you won't be able to detect that the lib is sensitive to potential threat.

Do you think it's possible to contact NIST to update/add the new vendor to CPE (very sorry, I'm NOT (sorry) aware how to do that/if it's possible...)?

Adrien

@joehni

This comment has been minimized.

Show comment
Hide comment
@joehni

joehni Jun 28, 2016

Member

Hi,
actually I have no clue, how this report has been generated. All I did was to send an CVE request to Openwall and got the number back after some time.

Member

joehni commented Jun 28, 2016

Hi,
actually I have no clue, how this report has been generated. All I did was to send an CVE request to Openwall and got the number back after some time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment