You are viewing a plain text version of this content. The canonical link for it is here.
Posted to batik-dev@xmlgraphics.apache.org by "Tony BenBrahim (JIRA)" <ji...@apache.org> on 2015/03/07 09:06:38 UTC
[jira] [Commented] (BATIK-1018) "XML External Entities"
vulnerability
[ https://issues.apache.org/jira/browse/BATIK-1018?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14351475#comment-14351475 ]
Tony BenBrahim commented on BATIK-1018:
---------------------------------------
It will take more than documentation improvements, as some classes do not expose any way to configure the parser or parser factory between creation and use, and require subclassing, access to the source, etc..., we are now well past the point of the casual user. See BATIK-1113 for details.
More to the point, the ideal fail-safe solution would be to disable XEE by default, and provide methods to turn the features back on, for the handful of users who need this feature. If BATIK is run on a server environment, you most certainly do not want this feature, unless you also fully control external entity resolution and loading. I suspect the majority of users do not know what XML external entities are, do not need them and are not aware of the security implications, so the fail-safe approach seems like the best approach,
> "XML External Entities" vulnerability
> -------------------------------------
>
> Key: BATIK-1018
> URL: https://issues.apache.org/jira/browse/BATIK-1018
> Project: Batik
> Issue Type: Bug
> Components: Web Site
> Affects Versions: 1.8
> Environment: Operating System: All
> Platform: All
> Reporter: Nicolas GREGOIRE
> Assignee: Batik Developer's Mailing list
> Attachments: xxe.png, xxe.svg
>
>
> During visualization with Squiggle or rasterization via the CLI tool, XML external entities defined in the DTD are dereferenced and the content of the target file is included in the output.
> The impact of this vulnerability range form denial of service to file disclosure. Under Windows, it can also be used to steal LM/NTLM hashes.
> For some additional information about XXE attacks, please refer to http://cwe.mitre.org/data/definitions/827.html
> How to reproduce:
> $> rasterizer xxe.svg -d xxe.png
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: batik-dev-unsubscribe@xmlgraphics.apache.org
For additional commands, e-mail: batik-dev-help@xmlgraphics.apache.org