Date: Mon, 12 May 2014 18:58:58 +0200 From: Tomas Hoger <thoger@...hat.com> To: oss-security@...ts.openwall.com Cc: tim-security@...tinelchicken.org, nicolas.gregoire@...rri.fr Subject: Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Hi! I can hardly call myself familiar with Java XML parsers, but here's my 2c form a quick search around this that may be wrong. Please correct my mistakes. On Thu, 8 May 2014 14:55:36 -0700 Timoth D. Morgan wrote: > That is, if you use DocumentBuilderFactory's setExpandEntityReferences > method and supply "false", then it has a very similar behavior. I'm > about to release a comprehensive XXE paper, and here's a preview of > what I have written about it: As far as I can see setExpandEntityReferences() controls what value is set for the create-entity-ref-nodes DOM parser feature: http://hg.openjdk.java.net/jdk7u/jdk7u/jaxp/file/cae04d181428/src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java#l158 http://hg.openjdk.java.net/jdk7u/jdk7u/jaxp/file/cae04d181428/src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java#l74 http://hg.openjdk.java.net/jdk7u/jdk7u/jaxp/file/cae04d181428/src/com/sun/org/apache/xerces/internal/impl/Constants.java#l427 The description in Java API docs is rather brief, xerces docs have more details: http://xerces.apache.org/xerces-j/features.html#create-entity-ref-nodes http://xerces.apache.org/xerces2-j/features.html#dom.create-entity-ref-nodes AFAICS, the feature does not aim to control if entity references are expanded, but only how exactly they appear in the resulting DOM tree. > "Java developers who use the default parser (or a newer version of > Xerces-J) need to change one or more settings to make Xerces > reasonably safe when processing untrusted XML. One behavior to be > aware of is the fact that the DocumentBuilderFactory's > setExpandEntityReferences method does not provide protection as one > might expect. Calling this method with a "false" argument causes the > parser to omit external entity data in the document when referenced, > but it does not prevent definitions of external entities. This means > the parser will still fetch external URLs, which could obviously be > used for blind SSRF attacks (even if the content isn't used later in > the document). Worse still, this setting does not prevent full use > of external parameter entities, which would likely allow an attacker > to conduct all of the same attacks that are possible with regular > external entities." Maybe your paper should rather mention parser features as external-general-entities and external-parameter-entities: http://docs.oracle.com/javase/7/docs/api/org/xml/sax/package-summary.html#package_description OWASP XXE document covers some of this, but actually mentions only one of the two features... https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing#Java -- Tomas Hoger / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ