You are viewing a plain text version of this content. The canonical link for it is here.
Posted to batik-dev@xmlgraphics.apache.org by bu...@apache.org on 2012/07/25 18:32:36 UTC
[Bug 53603] New: "XML External Entities" vulnerability
https://issues.apache.org/bugzilla/show_bug.cgi?id=53603
Priority: P2
Bug ID: 53603
Assignee: batik-dev@xmlgraphics.apache.org
Summary: "XML External Entities" vulnerability
Severity: major
Classification: Unclassified
OS: All
Reporter: nicolas.gregoire@agarri.fr
Hardware: All
Status: NEW
Version: 1.8
Component: SVG DOM
Product: Batik
Created attachment 29114
--> https://issues.apache.org/bugzilla/attachment.cgi?id=29114&action=edit
Malicious SVG file
During visualization with Squiggle or rasterization via the CLI tool, XML
external entities defined in the DTD are dereferenced and the content of the
target file is included in the output.
The impact of this vulnerability range form denial of service to file
disclosure. Under Windows, it can also be used to steal LM/NTLM hashes.
For some additional information about XXE attacks, please refer to
http://cwe.mitre.org/data/definitions/827.html
How to reproduce:
$> rasterizer xxe.svg -d xxe.png
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: batik-dev-unsubscribe@xmlgraphics.apache.org
For additional commands, e-mail: batik-dev-help@xmlgraphics.apache.org
[Bug 53603] "XML External Entities" vulnerability
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53603
--- Comment #3 from Jeremias Maerki <je...@apache.org> ---
I agree with Thomas. In a short experiment, I was able to use XInclude
(implemented by Apache Xerces-J) to force the same effect. Batik does not even
know about XInclude since it's a parser-level feature.
However, it might be a good idea to write some documentation about it so users
are reminded to secure their applications.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: batik-dev-unsubscribe@xmlgraphics.apache.org
For additional commands, e-mail: batik-dev-help@xmlgraphics.apache.org
[Bug 53603] "XML External Entities" vulnerability
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53603
--- Comment #2 from Thomas Deweese <de...@apache.org> ---
I don't want to dismiss this out of hand but I'm not sure I agree that a
vulnerability really exists.
Given that Batik is more a toolkit than a finished product a lot more of the
responsibility for avoiding these issues falls on the users rather than the
library. This more or less required given that it's impossible for us to know
ahead of time what parts of the system the batik libraries should be allowed to
access or not.
Please note that xxe.svg will fail if you use squiggle _and_ you fetch
'xxe.svg' from a server (I even tried variants like replacing etc/passwd with
file:///etc/passwd).
People using the rasterizer to rasterize random content from the web should be
more careful. They can use Java's build in support for policy files to
restrict access to the file system. I don't think it would be appropriate for
the toolkit to restrict this ahead of time since many legitimate uses may need
fairly wide access to the filesystem. I checked and browsers seem to block all
access to the file system when loading a file from the disk even if it's
co-located. That may make sense for a browser but I think would block many
legitimate uses of Batik.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: batik-dev-unsubscribe@xmlgraphics.apache.org
For additional commands, e-mail: batik-dev-help@xmlgraphics.apache.org
[Bug 53603] "XML External Entities" vulnerability
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53603
Helder Magalhães <he...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|SVG DOM |Web Site
Severity|major |minor
--- Comment #4 from Helder Magalhães <he...@gmail.com> ---
(In reply to comment #3)
> I agree with Thomas.
I agree with Thomas and Jeremias as well.
> However, it might be a good idea to write some documentation about it so
> users are reminded to secure their applications.
Decreasing severity and moving this to the "Web Site" component, more in the
sense of "Documentation" (which doesn't exist); "javadoc" alone doesn't feel
right as well: I'd say that these sort of reminders belong to a higher level
than Javadoc, although probably something might be done in code documentation
as well.
(In reply to comment #0)
> During visualization with Squiggle or rasterization via the CLI tool, XML
> external entities defined in the DTD are dereferenced and the content of the
> target file is included in the output.
>
> The impact of this vulnerability range form denial of service to file
> disclosure. Under Windows, it can also be used to steal LM/NTLM hashes.
First of all, thanks for the report!
Thomas has provided a good insight about this potential issue in comment #2.
Based in the feedback and in a few performed tests, I'd say the example
provided is roughly equivalent to an ECMAScript getURL fetching the
"/etc/passwd" (using the "file" protocol).
If you still believe this can be considered a security issue then please adjust
the priority accordingly. In any case, elaborating a bit longer would help -
for further understanding what can be involved or (simply) to serve as base for
the documentation improvements.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: batik-dev-unsubscribe@xmlgraphics.apache.org
For additional commands, e-mail: batik-dev-help@xmlgraphics.apache.org
[Bug 53603] "XML External Entities" vulnerability
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53603
--- Comment #5 from Nicolas GREGOIRE <ni...@agarri.fr> ---
I understand your position but I think that these risks should then be much
more visible to casual users of the framework (i.e. documentation improvement).
Nowadays, it's trivial to find some applications using Batik in a insecure way
(allowing the disclosure of local files). Examples:
- Apache FOP: vulnerable. Repro: FOP document including a malicious SVG image
- HighCharts JS: vulnerable. Repro: submit a malicious SVG to the on-line
export feature of this graph library
MediaWiki seems impacted too:
http://www.mediawiki.org/wiki/Manual:$wgSVGConverters
Regarding XInclude: it is a feature of the XML parser and could be disabled
there in security-conscious deployments
Regarding ECMAScript: it can disabled using command-line options. The main
differences with the XXE attack are that this one is scriptless and can't be
inhibited using options
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: batik-dev-unsubscribe@xmlgraphics.apache.org
For additional commands, e-mail: batik-dev-help@xmlgraphics.apache.org
[Bug 53603] "XML External Entities" vulnerability
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53603
--- Comment #1 from Nicolas GREGOIRE <ni...@agarri.fr> ---
Created attachment 29115
--> https://issues.apache.org/bugzilla/attachment.cgi?id=29115&action=edit
Result of the rasterization of xxe.svg
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: batik-dev-unsubscribe@xmlgraphics.apache.org
For additional commands, e-mail: batik-dev-help@xmlgraphics.apache.org