You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cocoon.apache.org by Cédric Damioli <cd...@apache.org> on 2020/09/11 09:39:23 UTC

[CVE-2020-11991] Apache Cocoon security vulnerability

[CVE-2020-11991] Apache Cocoon security vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Apache Cocoon up to 2.1.12

Description: When using the StreamGenerator, the code parse a 
user-provided XML.

A specially crafted XML, including external system entities, could be 
used to access any file on the server system.

Mitigation:

The StreamGenerator now ignores external entities. 2.1.x users should 
upgrade to 2.1.13

Example:

With the following input :

<!--?xml version="1.0" ?--> <!DOCTYPE replace [<!ENTITY ent SYSTEM 
"file:///etc/shadow"> ]> <userInfo> <firstName>John</firstName> 
<lastName>&ent;</lastName> </userInfo> an attacker got the content of 
/etc/shadow

Credit: This issue was discovered by Nassim Asrir.


Regards,

-- 
Cédric Damioli

Re: [CVE-2020-11991] Apache Cocoon security vulnerability

Posted by Cédric Damioli <cd...@apache.org>.

Hi,

Entities resolution is managed by features of the SAX Parser, before any 
transformation.

Cédric

Le 11/09/2020 à 12:12, gelo1234 a écrit :
>
> Hello Cedric,
>
> Are external entities blocked also in XSLT?
>
> Greetings,
> Greg
>
> pt., 11 wrz 2020 o 11:39 Cédric Damioli <cdamioli@apache.org 
> <ma...@apache.org>> napisał(a):
>
>     [CVE-2020-11991] Apache Cocoon security vulnerability
>
>     Severity: Important
>
>     Vendor: The Apache Software Foundation
>
>     Versions Affected: Apache Cocoon up to 2.1.12
>
>     Description: When using the StreamGenerator, the code parse a
>     user-provided XML.
>
>     A specially crafted XML, including external system entities, could
>     be used to access any file on the server system.
>
>     Mitigation:
>
>     The StreamGenerator now ignores external entities. 2.1.x users
>     should upgrade to 2.1.13
>
>     Example:
>
>     With the following input :
>
>     <!--?xml version="1.0" ?--> <!DOCTYPE replace [<!ENTITY ent SYSTEM
>     "file:///etc/shadow"> ]> <userInfo> <firstName>John</firstName>
>     <lastName>&ent;</lastName> </userInfo> an attacker got the content
>     of /etc/shadow
>
>     Credit: This issue was discovered by Nassim Asrir.
>
>
>     Regards,
>
>     -- 
>     Cédric Damioli
>

-- 
Cédric Damioli
CMS - Java - Open Source
www.ametys.org

Re: [CVE-2020-11991] Apache Cocoon security vulnerability

Posted by gelo1234 <ge...@gmail.com>.

Hello Cedric,

Are external entities blocked also in XSLT?

Greetings,
Greg

pt., 11 wrz 2020 o 11:39 Cédric Damioli <cd...@apache.org> napisał(a):

> [CVE-2020-11991] Apache Cocoon security vulnerability
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected: Apache Cocoon up to 2.1.12
>
> Description: When using the StreamGenerator, the code parse a
> user-provided XML.
>
> A specially crafted XML, including external system entities, could be used
> to access any file on the server system.
>
> Mitigation:
>
> The StreamGenerator now ignores external entities. 2.1.x users should
> upgrade to 2.1.13
>
> Example:
>
> With the following input :
>
> <!--?xml version="1.0" ?--> <!DOCTYPE replace [<!ENTITY ent SYSTEM
> "file:///etc/shadow"> ]> <userInfo> <firstName>John</firstName>
> <lastName>&ent;</lastName> </userInfo> an attacker got the content of
> /etc/shadow
>
> Credit: This issue was discovered by Nassim Asrir.
>
> Regards,
>
> --
> Cédric Damioli
>
>