I came across this:
http://java.sun.com/j2se/1.5.0/docs/guide/xml/jaxp/JAXP-Compatibility_150.html#JAXP_security
specifically, the entityExpansionLimit system property. So setting this to
0 seems like a nice easy way to solve the problem.
Maybe Jersey should set this system property to 0 by default? Seems like
the vast majority of use cases would NOT want callers of their web services
to be able to access random files on their server's file system.
On Mon, Jul 6, 2009 at 11:03 AM, Tim McCune <tim_at_mccune.name> wrote:
> http://www.securiteam.com/securitynews/6D0100A5PU.html
>
> Just tried this attack against a simple web service built on top of Jersey,
> and it seems to have succeeded.
>
> <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
> <foo><bar>&xxe;</bar></foo>
>
> If I POST that to a web service built on Jersey, and have my resource just
> return the parameter that was passed into it, I can see the contents of
> /etc/passwd.
>
> Can anyone confirm that this vulnerability exists, and if so, advise on the
> best way to protect against it?
>