[jira] [Commented] (CMIS-941) XML External Entity Injection possible in LoggingFilter

Mon, 24 Aug 2015 04:06:08 -0700 

    [ 
https://issues.apache.org/jira/browse/CMIS-941?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14709097#comment-14709097
 ] 

Donald Kwakkel commented on CMIS-941:
-------------------------------------

Thanks for pointing out it is default disabled (and for the very quick 
replies!).

FYI: I downloaded chemistry-opencmis-0.13.0-source-release.zip and there the 
code is:
{code}
            Transformer transformer = transformerFactory.newTransformer();
{code}
So seems not to be part of 0.13.

> XML External Entity Injection possible in LoggingFilter
> -------------------------------------------------------
>
>                 Key: CMIS-941
>                 URL: https://issues.apache.org/jira/browse/CMIS-941
>             Project: Chemistry
>          Issue Type: Bug
>          Components: opencmis-client
>    Affects Versions: OpenCMIS 0.13.0
>            Reporter: Donald Kwakkel
>
> The XML parser configured in LoggingFilter.java:205 does not prevent nor 
> limit Document Type Definition (DTD) entity resolution. This can expose the 
> parser to an XML Entity Expansion injection.
> Explanation:
> XML Entity Expansion injection also known as XML Bombs are DoS attacks that 
> benefit from valid and well-formed XML blocks that expand exponentially until 
> they exhaust the server allocated resources. XML allows to define custom 
> entities which act as string substitution macros. By nesting recurrent entity 
> resolutions, an attacker can easily crash the server resources.
> The following XML document shows an example of an XML Bomb.
> <?xml version="1.0"?>
> <!DOCTYPE lolz [
>   <!ENTITY lol "lol">
>   <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
>   <!ENTITY lol3 
> "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
>   <!ENTITY lol4 
> "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
>   <!ENTITY lol5 
> "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
>   <!ENTITY lol6 
> "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
>   <!ENTITY lol7 
> "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
>   <!ENTITY lol8 
> "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
>   <!ENTITY lol9 
> "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
> ]>
> <lolz>&lol9;</lolz>
> This test could crash the server by expanding the small XML document into 
> more than 3GB in memory.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to