[
https://issues.apache.org/jira/browse/CMIS-944?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14709101#comment-14709101
]
Donald Kwakkel commented on CMIS-944:
-------------------------------------
Great, thanks!
> XML External Entity Injection possible in WebSphereAuthHandler
> --------------------------------------------------------------
>
> Key: CMIS-944
> URL: https://issues.apache.org/jira/browse/CMIS-944
> Project: Chemistry
> Issue Type: Bug
> Components: opencmis-client
> Affects Versions: OpenCMIS 0.13.0
> Reporter: Donald Kwakkel
>
> XML parser configured in WebSphereAuthHandler.java:72 does not prevent nor
> limit external entities resolution. This can expose the parser to an XML
> External Entities attack.
> Explanation:
> XML External Entities attacks benefit from an XML feature to build documents
> dynamically at the time of processing. An XML entity allows inclusion of data
> dynamically from a given resource. External entities allow an XML document to
> include data from an external URI. Unless configured to do otherwise,
> external entities force the XML parser to access the resource specified by
> the URI, e.g., a file on the local machine or on a remote system. This
> behavior exposes the application to XML External Entity (XXE) attacks, which
> can be used to perform denial of service of the local system, gain
> unauthorized access to files on the local machine, scan remote machines, and
> perform denial of service of remote systems.
> The following XML document shows an example of an XXE attack.
> <?xml version="1.0" encoding="ISO-8859-1"?>
> <!DOCTYPE foo [
> <!ELEMENT foo ANY >
> <!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>
> This example could crash the server (on a UNIX system), if the XML parser
> attempts to substitute the entity with the contents of the /dev/random file.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
