Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XXE vulnerability #25

Closed
guykoth opened this issue Sep 7, 2015 · 13 comments
Closed

XXE vulnerability #25

guykoth opened this issue Sep 7, 2015 · 13 comments
Assignees
@joehni
Labels
bug
Milestone
1.4.9

Comments

@guykoth
Copy link

guykoth commented Sep 7, 2015

DTD processing was enabled and therefore, XML deserialization process was vulnerable to XML External Entity Injection (I was able to expose local files).
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

Suggestion is to ignore client-side DOCTYPE declarations.
@joehni
Copy link
Member

joehni commented Sep 7, 2015

XStream supports a big number of XML parsers. Its default is Xpp3 which does not support entities at all. So what parser did you use?

@guykoth
Copy link
Author

guykoth commented Sep 8, 2015

Payload:

%passwd;
]>

stack-trace

joehni added a commit that referenced this issue Oct 5, 2015
@joehni
Update FAQ for XXE vulnerability. Update changes for fix of #25.
200051b
@joehni joehni self-assigned this Oct 5, 2015
@joehni joehni added this to the 1.4.x milestone Oct 5, 2015
@joehni joehni added the bug label Oct 5, 2015
@joehni
Copy link
Member

joehni commented Oct 5, 2015

As far as possible I've turned off processing of external entities for all affected parsers.

@joehni
Copy link
Member

joehni commented Oct 9, 2015

Ported into 1.4.x branch.

@joehni joehni closed this as completed Oct 9, 2015
@govindraghu
Copy link

I am using xstream-1.3.1 version. Is the "turn off on external entities" implemented in this version?

@joehni
Copy link
Member

joehni commented Feb 18, 2016

No. That version is 7 years old and the 1.3.x line is no longer maintained.

@govindraghu
Copy link

Thanks joehni for your quick response. I will plan on upgrading the to the latest version. In the mean time, I downloaded the latest source code of 1.4.8. Can you point me what class/method addresses the fix "disallow-doctype-decl" as pointed out in URL https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

String FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
dbf.setFeature(FEATURE, true);

@joehni
Copy link
Member

joehni commented Feb 22, 2016

Hi, it's unfortunately not yet released. It's a series of commits. Look into the history of the 1.4.x branch in October 2015.

@joehni joehni modified the milestones: 1.4.x, 1.4.9 Mar 16, 2016
@mceli
Copy link

mceli commented Apr 4, 2016

Hello @joehni , Is xstream-1.4.3 vulnerable to this issue?

@joehni
Copy link
Member

joehni commented Apr 5, 2016

Look at the milestone of this issue.

@adioss
Copy link

adioss commented Jun 28, 2016
edited
Loading

Hello,

A little question/remark: the threat is reported here: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3674. You can notice that:

cpe:/a:x-stream:xstream:1.4.8 and previous versions

so the product vendor here is "x-stream". But now (I can see it here http://mvnrepository.com/artifact/xstream/xstream) the vendor for current version is "com.thoughtworks.xstream" so in my opinion, CVE is not correctly reported for the moment. For example, if you use tools like OWASP dependency check (or maybe blackduck), you won't be able to detect that the lib is sensitive to potential threat.

Do you think it's possible to contact NIST to update/add the new vendor to CPE (very sorry, I'm NOT (sorry) aware how to do that/if it's possible...)?

Adrien

@joehni
Copy link
Member

joehni commented Jun 28, 2016

Hi,
actually I have no clue, how this report has been generated. All I did was to send an CVE request to Openwall and got the number back after some time.

@An7i21 An7i21 mentioned this issue Sep 5, 2016
Open
@AASMACMX AASMACMX mentioned this issue Feb 26, 2023
Open
@AASMACMX AASMACMX mentioned this issue Apr 26, 2023
Open
@AASMACMX AASMACMX mentioned this issue Jul 20, 2023
Open
@RobinStar520
Copy link

CxDemoInABoxRepos/Java-Webgoat#895

CxDemoInABoxRepos/Java-Webgoat#198

@cyates-checkmarx cyates-checkmarx mentioned this issue Jun 23, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joehni joehni

Labels
bug
Projects
None yet
Milestone
1.4.9
Development

No branches or pull requests
6 participants
@adioss @joehni @guykoth @govindraghu @mceli @RobinStar520