You are viewing a plain text version of this content. The canonical link for it is here.
Posted to batik-dev@xmlgraphics.apache.org by "Lars Krapf (JIRA)" <ji...@apache.org> on 2015/12/07 18:44:11 UTC
[jira] [Created] (BATIK-1139) SSRF through external DTD resolution
Lars Krapf created BATIK-1139:
---------------------------------
Summary: SSRF through external DTD resolution
Key: BATIK-1139
URL: https://issues.apache.org/jira/browse/BATIK-1139
Project: Batik
Issue Type: Bug
Components: SVG Rasterizer
Affects Versions: 1.8
Reporter: Lars Krapf
The fix for XXE (BATIK-1018) seems to be incomplete.
External DTD resolution should also be disabled in order to avoid attacks like SSRF or port-scanning behind the firewall.
See attached file (ssrf.svg) for an example.
{code}
chaotic@m0lly:~$ nc -l 2323
GET / HTTP/1.1
User-Agent: Java/1.7.0_60-ea
Host: localhost:2323
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
{code}
To fix it you could disable the external DTD resolution altogether, using the document factory configuration, i.e.
{code}
dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
{code}
See also [https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing|OWASP] for more information on XXE.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: batik-dev-unsubscribe@xmlgraphics.apache.org
For additional commands, e-mail: batik-dev-help@xmlgraphics.apache.org