Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
XXE vulnerability #25
DTD processing was enabled and therefore, XML deserialization process was vulnerable to XML External Entity Injection (I was able to expose local files).
Suggestion is to ignore client-side DOCTYPE declarations.
added a commit
Oct 5, 2015
Thanks joehni for your quick response. I will plan on upgrading the to the latest version. In the mean time, I downloaded the latest source code of 1.4.8. Can you point me what class/method addresses the fix "disallow-doctype-decl" as pointed out in URL https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
A little question/remark: the threat is reported here: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3674. You can notice that:
so the product vendor here is "x-stream". But now (I can see it here http://mvnrepository.com/artifact/xstream/xstream) the vendor for current version is "com.thoughtworks.xstream" so in my opinion, CVE is not correctly reported for the moment. For example, if you use tools like OWASP dependency check (or maybe blackduck), you won't be able to detect that the lib is sensitive to potential threat.
Do you think it's possible to contact NIST to update/add the new vendor to CPE (very sorry, I'm NOT (sorry) aware how to do that/if it's possible...)?