RE: [Jersey] Jersey vulnerable to XXE attack?

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: Guba, Nicolai <nguba_at_bioware.com>
Date: Mon, 6 Jul 2009 13:01:12 -0700

I could not reproduce it. The JAXB serializer (correctly) identified this as an invalid request.

Maybe it works with resources that are processing form parameters? It may be helpful to see the code snipped of the resource you are accessing.

--
   =NPG=
From: ksuwildcat_at_gmail.com [mailto:ksuwildcat_at_gmail.com] On Behalf Of Tim McCune
Sent: Monday, July 06, 2009 1:04 PM
To: users_at_jersey.dev.java.net
Subject: [Jersey] Jersey vulnerable to XXE attack?
http://www.securiteam.com/securitynews/6D0100A5PU.html
Just tried this attack against a simple web service built on top of Jersey, and it seems to have succeeded.
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<foo><bar>&xxe;</bar></foo>
If I POST that to a web service built on Jersey, and have my resource just return the parameter that was passed into it, I can see the contents of /etc/passwd.
Can anyone confirm that this vulnerability exists, and if so, advise on the best way to protect against it?