Uploaded image for project: 'Batik'
  1. Batik
  2. BATIK-1139

SSRF through external DTD resolution

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 1.8
    • 1.9
    • SVG Rasterizer
    • None

    Description

      The fix for XXE (BATIK-1018) seems to be incomplete.
      External DTD resolution should also be disabled in order to avoid attacks like SSRF or port-scanning behind the firewall.

      See attached file (ssrf.svg) for an example.

      chaotic@m0lly:~$ nc -l 2323
      GET / HTTP/1.1
      User-Agent: Java/1.7.0_60-ea
      Host: localhost:2323
      Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
      Connection: keep-alive
      

      To fix it you could disable the external DTD resolution altogether, using the document factory configuration, i.e.

      dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
      

      See also https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing for more information on XXE.

      Attachments

        1. ssrf.svg
          0.3 kB
          Lars Krapf

        Issue Links

          Activity

            People

              gadams Glenn Adams
              chaotic Lars Krapf
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: