Date: Thu, 8 May 2014 14:55:36 -0700 From: "Timoth D. Morgan" <tim-security@...tinelchicken.org> To: oss-security@...ts.openwall.com Cc: nicolas.gregoire@...rri.fr Subject: Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled In my testing, this same issue is true for Java. That is, if you use DocumentBuilderFactory's setExpandEntityReferences method and supply "false", then it has a very similar behavior. I'm about to release a comprehensive XXE paper, and here's a preview of what I have written about it: "Java developers who use the default parser (or a newer version of Xerces-J) need to change one or more settings to make Xerces reasonably safe when processing untrusted XML. One behavior to be aware of is the fact that the DocumentBuilderFactory's setExpandEntityReferences method does not provide protection as one might expect. Calling this method with a "false" argument causes the parser to omit external entity data in the document when referenced, but it does not prevent definitions of external entities. This means the parser will still fetch external URLs, which could obviously be used for blind SSRF attacks (even if the content isn't used later in the document). Worse still, this setting does not prevent full use of external parameter entities, which would likely allow an attacker to conduct all of the same attacks that are possible with regular external entities." Should we assign a CVE for this as well? I believe I tested versions 1.6.0_18 and 1.7.0_51, though I'd want someone to verify this, since it has been some time since I observed the behavior. tim On Tue, May 06, 2014 at 08:55:58PM +0200, Tomas Hoger wrote: > On Tue, 06 May 2014 20:21:28 +0200 Nicolas Grégoire wrote: > > > > libxml2 [...] incorrectly performs entity substituton in the doctype > > > prolog, even if the application using libxml2 disabled any entity > > > substitution. > > > > I'm not sure that I understand this bug. Do you have a PoC? > > The new issue is very similar to the one fixed by: > > https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f > > which is linked to the infamous CVE-2013-0339. 4629ee0 fixed the issue > for general entities, while the 9cd1c3c fixes the same type of problem > for parameter entities. Even when parsing without NOENT, external > parameter entities are fetched. > > -- > Tomas Hoger / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ