Donald Kwakkel created CMIS-944:
-----------------------------------
Summary: XML External Entity Injection possible in
WebSphereAuthHandler
Key: CMIS-944
URL: https://issues.apache.org/jira/browse/CMIS-944
Project: Chemistry
Issue Type: Bug
Components: opencmis-client
Affects Versions: OpenCMIS 0.13.0
Reporter: Donald Kwakkel
XML parser configured in WebSphereAuthHandler.java:72 does not prevent nor
limit external entities resolution. This can expose the parser to an XML
External Entities attack.
Explanation:
XML External Entities attacks benefit from an XML feature to build documents
dynamically at the time of processing. An XML entity allows inclusion of data
dynamically from a given resource. External entities allow an XML document to
include data from an external URI. Unless configured to do otherwise, external
entities force the XML parser to access the resource specified by the URI,
e.g., a file on the local machine or on a remote system. This behavior exposes
the application to XML External Entity (XXE) attacks, which can be used to
perform denial of service of the local system, gain unauthorized access to
files on the local machine, scan remote machines, and perform denial of service
of remote systems.
The following XML document shows an example of an XXE attack.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>
This example could crash the server (on a UNIX system), if the XML parser
attempts to substitute the entity with the contents of the /dev/random file.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
