[jira] [Comment Edited] (BATIK-1139) SSRF through external DTD resolution

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[jira] [Comment Edited] (BATIK-1139) SSRF through external DTD resolution

JIRA jira@apache.org

    [ https://issues.apache.org/jira/browse/BATIK-1139?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15985316#comment-15985316 ]

Antoine Beaupre edited comment on BATIK-1139 at 4/26/17 6:41 PM:
-----------------------------------------------------------------

Hi. Is this vulnerability the same as https://nvd.nist.gov/vuln/detail/CVE-2017-5662?

Also: are the commits referred to in this  bug report sufficient to fix this issue on 1.8? I'm looking at backporting those to 1.7 as well, and so far am under the assumption the patches are enough and complete there as well.

Thanks!


was (Author: anarcat):
Hi. Is this vulnerability the same as https://nvd.nist.gov/vuln/detail/CVE-2017-5662?

Thanks

> SSRF through external DTD resolution
> ------------------------------------
>
>                 Key: BATIK-1139
>                 URL: https://issues.apache.org/jira/browse/BATIK-1139
>             Project: Batik
>          Issue Type: Bug
>          Components: SVG Rasterizer
>    Affects Versions: 1.8
>            Reporter: Lars Krapf
>            Assignee: Glenn Adams
>             Fix For: 1.9
>
>         Attachments: ssrf.svg
>
>
> The fix for XXE (BATIK-1018) seems to be incomplete.
> External DTD resolution should also be disabled in order to avoid attacks like SSRF or port-scanning behind the firewall.
> See attached file (ssrf.svg) for an example.
> {code}
> chaotic@m0lly:~$ nc -l 2323
> GET / HTTP/1.1
> User-Agent: Java/1.7.0_60-ea
> Host: localhost:2323
> Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
> Connection: keep-alive
> {code}
> To fix it you could disable the external DTD resolution altogether, using the document factory configuration, i.e.
> {code}
> dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
> {code}
> See also https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing for more information on XXE.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Loading...