[jira] [Resolved] (CMIS-941) XML External Entity Injection possible in LoggingFilter

Mon, 24 Aug 2015 02:09:07 -0700 

     [ 
https://issues.apache.org/jira/browse/CMIS-941?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Florian Müller resolved CMIS-941.
---------------------------------
    Resolution: Won't Fix

LoggingFilter is a debug tool and should never be used in a productive system. 
It's commented out in all default web.xml files with a warning to turn it on. 

> XML External Entity Injection possible in LoggingFilter
> -------------------------------------------------------
>
>                 Key: CMIS-941
>                 URL: https://issues.apache.org/jira/browse/CMIS-941
>             Project: Chemistry
>          Issue Type: Bug
>          Components: opencmis-client
>    Affects Versions: OpenCMIS 0.13.0
>            Reporter: Donald Kwakkel
>
> The XML parser configured in LoggingFilter.java:205 does not prevent nor 
> limit Document Type Definition (DTD) entity resolution. This can expose the 
> parser to an XML Entity Expansion injection.
> Explanation:
> XML Entity Expansion injection also known as XML Bombs are DoS attacks that 
> benefit from valid and well-formed XML blocks that expand exponentially until 
> they exhaust the server allocated resources. XML allows to define custom 
> entities which act as string substitution macros. By nesting recurrent entity 
> resolutions, an attacker can easily crash the server resources.
> The following XML document shows an example of an XML Bomb.
> <?xml version="1.0"?>
> <!DOCTYPE lolz [
>   <!ENTITY lol "lol">
>   <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
>   <!ENTITY lol3 
> "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
>   <!ENTITY lol4 
> "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
>   <!ENTITY lol5 
> "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
>   <!ENTITY lol6 
> "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
>   <!ENTITY lol7 
> "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
>   <!ENTITY lol8 
> "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
>   <!ENTITY lol9 
> "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
> ]>
> <lolz>&lol9;</lolz>
> This test could crash the server by expanding the small XML document into 
> more than 3GB in memory.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to