Date: Mon, 23 Nov 2015 15:17:09 +0100 From: "Christofer Dutz" <cdutz@...che.org> To: dev@...x.apache.org, "users@...x.apache.org" <users@...x.apache.org>, security@...che.org, oss-security@...ts.openwall.com, bugtraq@...urityfocus.com Subject: CVE-2015-5255: SSRF vulnerability in Apache Flex BlazeDS 4.7.1 CVE-2015-5255: SSRF vulnerability in Apache Flex BlazeDS 4.7.1 Severity: Important Vendor: The Apache Software Foundation Versions Affected: BlazeDS 4.7.0 and 4.7.1 Description: The code in BlazeDS to deserialize AMF XML datatypes allows so-called SSRF Attacks (Server Side Request Forgery) in which the server could contact a remote service on behalf of the attacker. The attacker could hereby circumvent firewall restrictions. Mitigation: 4.7.x users should upgrade to 4.7.2 Example: For XML object containing the following string representation: <!DOCTYPE foo PUBLIC "-//VSR//PENTEST//EN" "http://protected-server/protected-service"><foo>Some content</foo> The server could access the url: http://protected-server/protected-service Even if directly accessing this resource is prevented by firewall rules. Credit: This issue was discovered by James Kettle of PortSwigger Ltd. References: http://www.vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf Christofer Dutz
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ