oss-sec mailing list archives
Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled
From: Tim <tim-security () sentinelchicken org>
Date: Tue, 3 Jun 2014 08:37:26 -0700
Hi David,
Sorry for the absurdly late reply to this thread. I finally found time to do some testing on OpenJDK 1.7.0_45. I can confirm Tomas' assessment that setExpandEntityReferences() and setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true) have no bearing on whether or not entity references are expanded, nor do they purport to.
Yeah, you gotta love FEATURE_SECURE_PROCESSING. It's just like calling a website "secure" because it uses SSL. I agree that these features don't purport to turn off certain dangerous features, but to a developer who doesn't know what parameter entities are, they could very easily assume they are safe with setExpandEntityReferences(false).
Applications that process attacker-supplied XML using Xerces are vulnerable to SSRF attacks unless they use both setFeature("http://xml.org/sax/features/external-parameter-entities", false) and setFeature("http://xml.org/sax/features/external-general-entities", false). The OWASP XXE document should be updated to mention external-parameter-entities. I will do this as soon as my OWASP wiki account is approved.
Feel free to use this as a reference for other thoughts on what developers should be wary of: http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf I would also be interested to hear if you think anything I mention in there is inaccurate. Cheers, tim
Current thread:
- CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Stefan Cornelius (May 06)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Nicolas Grégoire (May 06)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tomas Hoger (May 06)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Nicolas Grégoire (May 06)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Timoth D. Morgan (May 08)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tomas Hoger (May 12)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled David Jorm (Jun 02)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tim (Jun 03)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled David Jorm (Jun 06)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tomas Hoger (May 06)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tim (Jun 03)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tomas Hoger (Jun 09)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Tim (Jun 09)
- Re: CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled Nicolas Grégoire (May 06)