CESA-2007-002 - rev 2
[See all my vulnerabilities at
http://scary.beasts.org/security]
[Blog if you want to subscribe to new findings is at
http://scarybeastsecurity.blogspot.com/]
Sun JDK6 breaks XXE attack protection
Programs affected: JDK6 up to and including update 3
Fixed: JDK6 update 4
Unaffected: JDKs prior to 6
Severity: Parsing of untrusted XML may lead to file theft or network ACL
bypass. Standard XXE threats.
Seems to be a bug introduced by this line in com.sun.org.apache.xerces.internal.impl.XMLEntityManager:
fExternalGeneralEntities = external;//ToDo :Venu
This effectively forces on the flag that would often be used by secure
software to prevent XXE attacks. As a brief refresher, the following XML
mounts an XXE attack, via the DTD, which attempts to open the /dev/tty file.
<!DOCTYPE doc [ <!ENTITY ent SYSTEM "file:///dev/tty"> ]>
<root>
<element>&ent;</element>
</root>
Credits
- Google - this flaw was discovered in Google's time. I'm with Google's
Security Team, and we're always recruiting talented security individuals.
Mail me.
- Johannes Henkel - did the diagnostic and fix work. I was only responsible
for an automated alarm-bells test that found this.
CESA-2007-002 - rev 2
Chris Evans
scarybeasts@gmail.com