Uploaded image for project: 'Batik'
  1. Batik
  2. BATIK-1139

SSRF through external DTD resolution

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.8
    • Fix Version/s: 1.9
    • Component/s: SVG Rasterizer
    • Labels:
      None

      Description

      The fix for XXE (BATIK-1018) seems to be incomplete.
      External DTD resolution should also be disabled in order to avoid attacks like SSRF or port-scanning behind the firewall.

      See attached file (ssrf.svg) for an example.

      chaotic@m0lly:~$ nc -l 2323
      GET / HTTP/1.1
      User-Agent: Java/1.7.0_60-ea
      Host: localhost:2323
      Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
      Connection: keep-alive
      

      To fix it you could disable the external DTD resolution altogether, using the document factory configuration, i.e.

      dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
      

      See also https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing for more information on XXE.

        Attachments

        1. ssrf.svg
          0.3 kB
          Lars Krapf

          Issue Links

            Activity

              People

              • Assignee:
                gadams Glenn Adams
                Reporter:
                chaotic Lars Krapf
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: