http://www.securiteam.com/securitynews/6D0100A5PU.html
Just tried this attack against a simple web service built on top of Jersey,
and it seems to have succeeded.
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<foo><bar>&xxe;</bar></foo>
If I POST that to a web service built on Jersey, and have my resource just
return the parameter that was passed into it, I can see the contents of
/etc/passwd.
Can anyone confirm that this vulnerability exists, and if so, advise on the
best way to protect against it?