Date: Mon, 12 May 2014 18:58:58 +0200 From: Tomas Hoger <thoger@...hat.com> To: oss-security@...ts.openwall.com Cc: tim-security@...tinelchicken.org, nicolas.gregoire@...rri.fr Subject: Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Hi! I can hardly call myself familiar with Java XML parsers, but here's my 2c form a quick search around this that may be wrong. Please correct my mistakes. On Thu, 8 May 2014 14:55:36 -0700 Timoth D. Morgan wrote: > That is, if you use DocumentBuilderFactory's setExpandEntityReferences > method and supply "false", then it has a very similar behavior. I'm > about to release a comprehensive XXE paper, and here's a preview of > what I have written about it: As far as I can see setExpandEntityReferences() controls what value is set for the create-entity-ref-nodes DOM parser feature: http://hg.openjdk.java.net/jdk7u/jdk7u/jaxp/file/cae04d181428/src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java#l158 http://hg.openjdk.java.net/jdk7u/jdk7u/jaxp/file/cae04d181428/src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java#l74 http://hg.openjdk.java.net/jdk7u/jdk7u/jaxp/file/cae04d181428/src/com/sun/org/apache/xerces/internal/impl/Constants.java#l427 The description in Java API docs is rather brief, xerces docs have more details: http://xerces.apache.org/xerces-j/features.html#create-entity-ref-nodes http://xerces.apache.org/xerces2-j/features.html#dom.create-entity-ref-nodes AFAICS, the feature does not aim to control if entity references are expanded, but only how exactly they appear in the resulting DOM tree. > "Java developers who use the default parser (or a newer version of > Xerces-J) need to change one or more settings to make Xerces > reasonably safe when processing untrusted XML. One behavior to be > aware of is the fact that the DocumentBuilderFactory's > setExpandEntityReferences method does not provide protection as one > might expect. Calling this method with a "false" argument causes the > parser to omit external entity data in the document when referenced, > but it does not prevent definitions of external entities. This means > the parser will still fetch external URLs, which could obviously be > used for blind SSRF attacks (even if the content isn't used later in > the document). Worse still, this setting does not prevent full use > of external parameter entities, which would likely allow an attacker > to conduct all of the same attacks that are possible with regular > external entities." Maybe your paper should rather mention parser features as external-general-entities and external-parameter-entities: http://docs.oracle.com/javase/7/docs/api/org/xml/sax/package-summary.html#package_description OWASP XXE document covers some of this, but actually mentions only one of the two features... https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing#Java -- Tomas Hoger / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.