Date: Thu, 10 Jan 2019 21:09:25 -0500 From: Dave <snoopdave@...il.com> To: dev@...ler.apache.org, Roller User <user@...ler.apache.org>, security@...che.org, Arseniy Sharoglazov <mohemiv@...il.com>, oss-security@...ts.openwall.com Subject: [CVE-2018-17198] Server-side Request Forgery (SSRF) and File Enumeration vulnerability in Apache Roller Severity: Important Vendor: The Apache Software Foundation Versions Affected: Roller 5.2.1 Roller 5.2 The unsupported pre-Roller 5.1 versions may also be affected. Description: Roller relies on Java SAX Parser to implement its XML-RPC interface and by default that parser supports external entities in XML DOCTYPE, which opens Roller up to SSRF / File Enumeration vulnerability. Note that this vulnerability exists even if Roller XML-RPC interface is disable via the Roller web admin UI. Mitigation: There are a couple of ways you can fix this vulnerability: 1) Upgrade to the latest version of Roller, which is now 5.2.2 2) Or, edit the Roller web.xml file and comment out the XML-RPC Servlet mapping as shown below: <!-- <servlet-mapping> <servlet-name>XmlRpcServlet</servlet-name> <url-pattern>/roller-services/xmlrpc</url-pattern> </servlet-mapping> --> Credit: This issue was discovered by Arseniy Sharoglazov.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.