Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
1.8
-
None
Description
The fix for XXE (BATIK-1018) seems to be incomplete.
External DTD resolution should also be disabled in order to avoid attacks like SSRF or port-scanning behind the firewall.
See attached file (ssrf.svg) for an example.
chaotic@m0lly:~$ nc -l 2323 GET / HTTP/1.1 User-Agent: Java/1.7.0_60-ea Host: localhost:2323 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive
To fix it you could disable the external DTD resolution altogether, using the document factory configuration, i.e.
dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
See also https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing for more information on XXE.
Attachments
Attachments
Issue Links
- relates to
-
- Resolved