You are viewing a plain text version of this content. The canonical link for it is here.
Posted to batik-dev@xmlgraphics.apache.org by "Lars Krapf (JIRA)" <ji...@apache.org> on 2015/12/02 23:38:11 UTC
[jira] [Commented] (BATIK-1018) "XML External Entities"
vulnerability
[ https://issues.apache.org/jira/browse/BATIK-1018?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15036792#comment-15036792 ]
Lars Krapf commented on BATIK-1018:
-----------------------------------
Hello
The fix for this issue seems to be incomplete. You should also disable external DTD resolution to avoid SSRF:
{code}dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);{code}
See attached ssrf.svg for an example.
> "XML External Entities" vulnerability
> -------------------------------------
>
> Key: BATIK-1018
> URL: https://issues.apache.org/jira/browse/BATIK-1018
> Project: Batik
> Issue Type: Bug
> Components: Web Site
> Affects Versions: 1.8
> Environment: Operating System: All
> Platform: All
> Reporter: Nicolas GREGOIRE
> Assignee: Batik Developer's Mailing list
> Fix For: trunk
>
> Attachments: xxe.png, xxe.svg
>
>
> During visualization with Squiggle or rasterization via the CLI tool, XML external entities defined in the DTD are dereferenced and the content of the target file is included in the output.
> The impact of this vulnerability range form denial of service to file disclosure. Under Windows, it can also be used to steal LM/NTLM hashes.
> For some additional information about XXE attacks, please refer to http://cwe.mitre.org/data/definitions/827.html
> How to reproduce:
> $> rasterizer xxe.svg -d xxe.png
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: batik-dev-unsubscribe@xmlgraphics.apache.org
For additional commands, e-mail: batik-dev-help@xmlgraphics.apache.org