Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 8 May 2014 14:55:36 -0700
From: "Timoth D. Morgan" <>
Subject: Re: CVE-2014-0191 libxml2: external parameter entity
 loaded when entity substitution is disabled

In my testing, this same issue is true for Java.

That is, if you use DocumentBuilderFactory's setExpandEntityReferences
method and supply "false", then it has a very similar behavior.  I'm
about to release a comprehensive XXE paper, and here's a preview of
what I have written about it:

"Java developers who use the default parser (or a newer version of
Xerces-J) need to change one or more settings to make Xerces
reasonably safe when processing untrusted XML.  One behavior to be
aware of is the fact that the DocumentBuilderFactory's
setExpandEntityReferences method does not provide protection as one
might expect.  Calling this method with a "false" argument causes the
parser to omit external entity data in the document when referenced,
but it does not prevent definitions of external entities.  This means
the parser will still fetch external URLs, which could obviously be
used for blind SSRF attacks (even if the content isn't used later in
the document).   Worse still, this setting does not prevent full use
of external parameter entities, which would likely allow an attacker
to conduct all of the same attacks that are possible with regular
external entities."

Should we assign a CVE for this as well?  I believe I tested versions
1.6.0_18 and 1.7.0_51, though I'd want someone to verify this, since
it has been some time since I observed the behavior.


On Tue, May 06, 2014 at 08:55:58PM +0200, Tomas Hoger wrote:
> On Tue, 06 May 2014 20:21:28 +0200 Nicolas Grégoire wrote:
> > > libxml2 [...] incorrectly performs entity substituton in the doctype
> > > prolog, even if the application using libxml2 disabled any entity
> > > substitution. 
> > 
> > I'm not sure that I understand this bug. Do you have a PoC?
> The new issue is very similar to the one fixed by:
> which is linked to the infamous CVE-2013-0339.  4629ee0 fixed the issue
> for general entities, while the 9cd1c3c fixes the same type of problem
> for parameter entities.  Even when parsing without NOENT, external
> parameter entities are fetched.
> -- 
> Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.