oss-sec mailing list archives
Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled
From: David Jorm <djorm () redhat com>
Date: Fri, 06 Jun 2014 17:25:26 +1000
On 06/04/2014 01:37 AM, Tim wrote:
Hi David,Sorry for the absurdly late reply to this thread. I finally found time to do some testing on OpenJDK 1.7.0_45. I can confirm Tomas' assessment that setExpandEntityReferences() and setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true) have no bearing on whether or not entity references are expanded, nor do they purport to.Yeah, you gotta love FEATURE_SECURE_PROCESSING. It's just like calling a website "secure" because it uses SSL. I agree that these features don't purport to turn off certain dangerous features, but to a developer who doesn't know what parameter entities are, they could very easily assume they are safe with setExpandEntityReferences(false).Applications that process attacker-supplied XML using Xerces are vulnerable to SSRF attacks unless they use both setFeature("http://xml.org/sax/features/external-parameter-entities", false) and setFeature("http://xml.org/sax/features/external-general-entities", false). The OWASP XXE document should be updated to mention external-parameter-entities. I will do this as soon as my OWASP wiki account is approved.Feel free to use this as a reference for other thoughts on what developers should be wary of: http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf
This is a fantastic paper, I have no edits to propose. I read through it today, and I have already found one rather interesting flaw related to the attack detailed on page 11. I'll be sure to reference this paper in the relevant advisory.
David
Current thread:
- CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Stefan Cornelius (May 06)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Nicolas Grégoire (May 06)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tomas Hoger (May 06)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Nicolas Grégoire (May 06)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Timoth D. Morgan (May 08)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tomas Hoger (May 12)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled David Jorm (Jun 02)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tim (Jun 03)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled David Jorm (Jun 06)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tomas Hoger (May 06)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tim (Jun 03)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tomas Hoger (Jun 09)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tim (Jun 09)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Nicolas Grégoire (May 06)