Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled

[David Jorm <djorm () redhat com>]

On 06/04/2014 01:37 AM, Tim wrote:
> Hi David,
>
> > Sorry for the absurdly late reply to this thread. I finally found time to do
> > some testing on OpenJDK 1.7.0_45. I can confirm Tomas' assessment that
> > setExpandEntityReferences() and
> > setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true) have no bearing on
> > whether or not entity references are expanded, nor do they purport
> > to.
> Yeah, you gotta love FEATURE_SECURE_PROCESSING.  It's just like
> calling a website "secure" because it uses SSL.
>
> I agree that these features don't purport to turn off certain
> dangerous features, but to a developer who doesn't know what parameter
> entities are, they could very easily assume they are safe with
> setExpandEntityReferences(false).
>
>
> > Applications that process attacker-supplied XML using Xerces are vulnerable
> > to SSRF attacks unless they use both
> > setFeature("http://xml.org/sax/features/external-parameter-entities";, false)
> > and setFeature("http://xml.org/sax/features/external-general-entities";,
> > false).
> >
> > The OWASP XXE document should be updated to mention
> > external-parameter-entities. I will do this as soon as my OWASP wiki account
> > is approved.
> Feel free to use this as a reference for other thoughts on what
> developers should be wary of:
>    http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf

This is a fantastic paper, I have no edits to propose. I read through it 
today, and I have already found one rather interesting flaw related to 
the attack detailed on page 11. I'll be sure to reference this paper in 
the relevant advisory.

David