oss-sec mailing list archives
Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled
From: "Timoth D. Morgan" <tim-security () sentinelchicken org>
Date: Thu, 8 May 2014 14:55:36 -0700
In my testing, this same issue is true for Java. That is, if you use DocumentBuilderFactory's setExpandEntityReferences method and supply "false", then it has a very similar behavior. I'm about to release a comprehensive XXE paper, and here's a preview of what I have written about it: "Java developers who use the default parser (or a newer version of Xerces-J) need to change one or more settings to make Xerces reasonably safe when processing untrusted XML. One behavior to be aware of is the fact that the DocumentBuilderFactory's setExpandEntityReferences method does not provide protection as one might expect. Calling this method with a "false" argument causes the parser to omit external entity data in the document when referenced, but it does not prevent definitions of external entities. This means the parser will still fetch external URLs, which could obviously be used for blind SSRF attacks (even if the content isn't used later in the document). Worse still, this setting does not prevent full use of external parameter entities, which would likely allow an attacker to conduct all of the same attacks that are possible with regular external entities." Should we assign a CVE for this as well? I believe I tested versions 1.6.0_18 and 1.7.0_51, though I'd want someone to verify this, since it has been some time since I observed the behavior. tim On Tue, May 06, 2014 at 08:55:58PM +0200, Tomas Hoger wrote:
On Tue, 06 May 2014 20:21:28 +0200 Nicolas Grégoire wrote:libxml2 [...] incorrectly performs entity substituton in the doctype prolog, even if the application using libxml2 disabled any entity substitution.I'm not sure that I understand this bug. Do you have a PoC?The new issue is very similar to the one fixed by: https://git.gnome.org/browse/libxml2/commit/?id=4629ee02ac649c27f9c0cf98ba017c6b5526070f which is linked to the infamous CVE-2013-0339. 4629ee0 fixed the issue for general entities, while the 9cd1c3c fixes the same type of problem for parameter entities. Even when parsing without NOENT, external parameter entities are fetched. -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Stefan Cornelius (May 06)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Nicolas Grégoire (May 06)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tomas Hoger (May 06)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Nicolas Grégoire (May 06)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Timoth D. Morgan (May 08)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tomas Hoger (May 12)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled David Jorm (Jun 02)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tim (Jun 03)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled David Jorm (Jun 06)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tomas Hoger (May 06)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tim (Jun 03)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tomas Hoger (Jun 09)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tim (Jun 09)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Nicolas Grégoire (May 06)