Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upXXE vulnerability #25
Comments
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
joehni
Sep 7, 2015
Member
XStream supports a big number of XML parsers. Its default is Xpp3 which does not support entities at all. So what parser did you use?
|
XStream supports a big number of XML parsers. Its default is Xpp3 which does not support entities at all. So what parser did you use? |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
guykoth
commented
Sep 8, 2015
|
Payload: %passwd;
|
added a commit
that referenced
this issue
Oct 5, 2015
joehni
self-assigned this
Oct 5, 2015
joehni
added this to the 1.4.x milestone
Oct 5, 2015
joehni
added
the
bug
label
Oct 5, 2015
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
joehni
Oct 5, 2015
Member
As far as possible I've turned off processing of external entities for all affected parsers.
|
As far as possible I've turned off processing of external entities for all affected parsers. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
|
Ported into 1.4.x branch. |
joehni
closed this
Oct 9, 2015
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
govindraghu
Feb 18, 2016
I am using xstream-1.3.1 version. Is the "turn off on external entities" implemented in this version?
govindraghu
commented
Feb 18, 2016
|
I am using xstream-1.3.1 version. Is the "turn off on external entities" implemented in this version? |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
joehni
Feb 18, 2016
Member
No. That version is 7 years old and the 1.3.x line is no longer maintained.
|
No. That version is 7 years old and the 1.3.x line is no longer maintained. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
govindraghu
Feb 18, 2016
Thanks joehni for your quick response. I will plan on upgrading the to the latest version. In the mean time, I downloaded the latest source code of 1.4.8. Can you point me what class/method addresses the fix "disallow-doctype-decl" as pointed out in URL https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
dbf.setFeature(FEATURE, true);
govindraghu
commented
Feb 18, 2016
|
Thanks joehni for your quick response. I will plan on upgrading the to the latest version. In the mean time, I downloaded the latest source code of 1.4.8. Can you point me what class/method addresses the fix "disallow-doctype-decl" as pointed out in URL https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl"; |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
joehni
Feb 22, 2016
Member
Hi, it's unfortunately not yet released. It's a series of commits. Look into the history of the 1.4.x branch in October 2015.
|
Hi, it's unfortunately not yet released. It's a series of commits. Look into the history of the 1.4.x branch in October 2015. |
joehni
modified the milestones:
1.4.x,
1.4.9
Mar 16, 2016
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
mceli
commented
Apr 4, 2016
|
Hello @joehni , Is xstream-1.4.3 vulnerable to this issue? |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
|
Look at the milestone of this issue. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
adioss
Jun 28, 2016
Hello,
A little question/remark: the threat is reported here: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3674. You can notice that:
cpe:/a:x-stream:xstream:1.4.8 and previous versions
so the product vendor here is "x-stream". But now (I can see it here http://mvnrepository.com/artifact/xstream/xstream) the vendor for current version is "com.thoughtworks.xstream" so in my opinion, CVE is not correctly reported for the moment. For example, if you use tools like OWASP dependency check (or maybe blackduck), you won't be able to detect that the lib is sensitive to potential threat.
Do you think it's possible to contact NIST to update/add the new vendor to CPE (very sorry, I'm NOT (sorry) aware how to do that/if it's possible...)?
Adrien
adioss
commented
Jun 28, 2016
•
|
Hello, A little question/remark: the threat is reported here: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3674. You can notice that:
so the product vendor here is "x-stream". But now (I can see it here http://mvnrepository.com/artifact/xstream/xstream) the vendor for current version is "com.thoughtworks.xstream" so in my opinion, CVE is not correctly reported for the moment. For example, if you use tools like OWASP dependency check (or maybe blackduck), you won't be able to detect that the lib is sensitive to potential threat. Do you think it's possible to contact NIST to update/add the new vendor to CPE (very sorry, I'm NOT (sorry) aware how to do that/if it's possible...)? Adrien |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
joehni
Jun 28, 2016
Member
Hi,
actually I have no clue, how this report has been generated. All I did was to send an CVE request to Openwall and got the number back after some time.
|
Hi, |
guykoth commentedSep 7, 2015
DTD processing was enabled and therefore, XML deserialization process was vulnerable to XML External Entity Injection (I was able to expose local files).
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
Suggestion is to ignore client-side DOCTYPE declarations.