Donald Kwakkel created CMIS-941:
-----------------------------------
Summary: XML External Entity Injection possible in LoggingFilter
Key: CMIS-941
URL: https://issues.apache.org/jira/browse/CMIS-941
Project: Chemistry
Issue Type: Bug
Components: opencmis-client
Affects Versions: OpenCMIS 0.13.0
Reporter: Donald Kwakkel
The XML parser configured in LoggingFilter.java:205 does not prevent nor limit
Document Type Definition (DTD) entity resolution. This can expose the parser to
an XML Entity Expansion injection.
Explanation:
XML Entity Expansion injection also known as XML Bombs are DoS attacks that
benefit from valid and well-formed XML blocks that expand exponentially until
they exhaust the server allocated resources. XML allows to define custom
entities which act as string substitution macros. By nesting recurrent entity
resolutions, an attacker can easily crash the server resources.
The following XML document shows an example of an XML Bomb.
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>
This test could crash the server by expanding the small XML document into more
than 3GB in memory.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
