oss-sec mailing list archives
Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled
From: Tomas Hoger <thoger () redhat com>
Date: Mon, 12 May 2014 18:58:58 +0200
Hi! I can hardly call myself familiar with Java XML parsers, but here's my 2c form a quick search around this that may be wrong. Please correct my mistakes. On Thu, 8 May 2014 14:55:36 -0700 Timoth D. Morgan wrote:
That is, if you use DocumentBuilderFactory's setExpandEntityReferences method and supply "false", then it has a very similar behavior. I'm about to release a comprehensive XXE paper, and here's a preview of what I have written about it:
As far as I can see setExpandEntityReferences() controls what value is set for the create-entity-ref-nodes DOM parser feature: http://hg.openjdk.java.net/jdk7u/jdk7u/jaxp/file/cae04d181428/src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java#l158 http://hg.openjdk.java.net/jdk7u/jdk7u/jaxp/file/cae04d181428/src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java#l74 http://hg.openjdk.java.net/jdk7u/jdk7u/jaxp/file/cae04d181428/src/com/sun/org/apache/xerces/internal/impl/Constants.java#l427 The description in Java API docs is rather brief, xerces docs have more details: http://xerces.apache.org/xerces-j/features.html#create-entity-ref-nodes http://xerces.apache.org/xerces2-j/features.html#dom.create-entity-ref-nodes AFAICS, the feature does not aim to control if entity references are expanded, but only how exactly they appear in the resulting DOM tree.
"Java developers who use the default parser (or a newer version of Xerces-J) need to change one or more settings to make Xerces reasonably safe when processing untrusted XML. One behavior to be aware of is the fact that the DocumentBuilderFactory's setExpandEntityReferences method does not provide protection as one might expect. Calling this method with a "false" argument causes the parser to omit external entity data in the document when referenced, but it does not prevent definitions of external entities. This means the parser will still fetch external URLs, which could obviously be used for blind SSRF attacks (even if the content isn't used later in the document). Worse still, this setting does not prevent full use of external parameter entities, which would likely allow an attacker to conduct all of the same attacks that are possible with regular external entities."
Maybe your paper should rather mention parser features as external-general-entities and external-parameter-entities: http://docs.oracle.com/javase/7/docs/api/org/xml/sax/package-summary.html#package_description OWASP XXE document covers some of this, but actually mentions only one of the two features... https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing#Java -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Stefan Cornelius (May 06)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Nicolas Grégoire (May 06)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tomas Hoger (May 06)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Nicolas Grégoire (May 06)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Timoth D. Morgan (May 08)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tomas Hoger (May 12)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled David Jorm (Jun 02)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tim (Jun 03)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled David Jorm (Jun 06)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tomas Hoger (May 06)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tim (Jun 03)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tomas Hoger (Jun 09)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tim (Jun 09)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Nicolas Grégoire (May 06)