Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XXE vulnerability #25

Closed
guykoth opened this issue Sep 7, 2015 · 12 comments

Comments

@guykoth
Copy link

commented Sep 7, 2015

DTD processing was enabled and therefore, XML deserialization process was vulnerable to XML External Entity Injection (I was able to expose local files).
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

Suggestion is to ignore client-side DOCTYPE declarations.

@joehni

This comment has been minimized.

Copy link
Member

commented Sep 7, 2015

XStream supports a big number of XML parsers. Its default is Xpp3 which does not support entities at all. So what parser did you use?

@guykoth

This comment has been minimized.

Copy link
Author

commented Sep 8, 2015

Payload:

%passwd;
]>

stack-trace

joehni added a commit that referenced this issue Oct 5, 2015
@joehni joehni self-assigned this Oct 5, 2015
@joehni joehni added this to the 1.4.x milestone Oct 5, 2015
@joehni joehni added the bug label Oct 5, 2015
@joehni

This comment has been minimized.

Copy link
Member

commented Oct 5, 2015

As far as possible I've turned off processing of external entities for all affected parsers.

@joehni

This comment has been minimized.

Copy link
Member

commented Oct 9, 2015

Ported into 1.4.x branch.

@joehni joehni closed this Oct 9, 2015
@govindraghu

This comment has been minimized.

Copy link

commented Feb 18, 2016

I am using xstream-1.3.1 version. Is the "turn off on external entities" implemented in this version?

@joehni

This comment has been minimized.

Copy link
Member

commented Feb 18, 2016

No. That version is 7 years old and the 1.3.x line is no longer maintained.

@govindraghu

This comment has been minimized.

Copy link

commented Feb 18, 2016

Thanks joehni for your quick response. I will plan on upgrading the to the latest version. In the mean time, I downloaded the latest source code of 1.4.8. Can you point me what class/method addresses the fix "disallow-doctype-decl" as pointed out in URL https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
dbf.setFeature(FEATURE, true);

@joehni

This comment has been minimized.

Copy link
Member

commented Feb 22, 2016

Hi, it's unfortunately not yet released. It's a series of commits. Look into the history of the 1.4.x branch in October 2015.

@joehni joehni modified the milestones: 1.4.x, 1.4.9 Mar 16, 2016
@mceli

This comment has been minimized.

Copy link

commented Apr 4, 2016

Hello @joehni , Is xstream-1.4.3 vulnerable to this issue?

@joehni

This comment has been minimized.

Copy link
Member

commented Apr 5, 2016

Look at the milestone of this issue.

@adioss

This comment has been minimized.

Copy link

commented Jun 28, 2016

Hello,

A little question/remark: the threat is reported here: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3674. You can notice that:

cpe:/a:x-stream:xstream:1.4.8 and previous versions

so the product vendor here is "x-stream". But now (I can see it here http://mvnrepository.com/artifact/xstream/xstream) the vendor for current version is "com.thoughtworks.xstream" so in my opinion, CVE is not correctly reported for the moment. For example, if you use tools like OWASP dependency check (or maybe blackduck), you won't be able to detect that the lib is sensitive to potential threat.

Do you think it's possible to contact NIST to update/add the new vendor to CPE (very sorry, I'm NOT (sorry) aware how to do that/if it's possible...)?

Adrien

@joehni

This comment has been minimized.

Copy link
Member

commented Jun 28, 2016

Hi,
actually I have no clue, how this report has been generated. All I did was to send an CVE request to Openwall and got the number back after some time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.