Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 06 Jun 2014 17:25:26 +1000
From: David Jorm <djorm@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2014-0191 libxml2: external parameter entity
 loaded when entity substitution is disabled

On 06/04/2014 01:37 AM, Tim wrote:
> Hi David,
>
>> Sorry for the absurdly late reply to this thread. I finally found time to do
>> some testing on OpenJDK 1.7.0_45. I can confirm Tomas' assessment that
>> setExpandEntityReferences() and
>> setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true) have no bearing on
>> whether or not entity references are expanded, nor do they purport
>> to.
> Yeah, you gotta love FEATURE_SECURE_PROCESSING.  It's just like
> calling a website "secure" because it uses SSL.
>
> I agree that these features don't purport to turn off certain
> dangerous features, but to a developer who doesn't know what parameter
> entities are, they could very easily assume they are safe with
> setExpandEntityReferences(false).
>
>
>> Applications that process attacker-supplied XML using Xerces are vulnerable
>> to SSRF attacks unless they use both
>> setFeature("http://xml.org/sax/features/external-parameter-entities", false)
>> and setFeature("http://xml.org/sax/features/external-general-entities",
>> false).
>>
>> The OWASP XXE document should be updated to mention
>> external-parameter-entities. I will do this as soon as my OWASP wiki account
>> is approved.
> Feel free to use this as a reference for other thoughts on what
> developers should be wary of:
>    http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf

This is a fantastic paper, I have no edits to propose. I read through it 
today, and I have already found one rather interesting flaw related to 
the attack detailed on page 11. I'll be sure to reference this paper in 
the relevant advisory.

David

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ