lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 19 Aug 2015 13:48:04 +0200
From: "Christofer Dutz" <>
Subject: CVE-2015-3269 Apache Flex BlazeDS Insecure Xml Entity Expansion

CVE-2015-3269 Apache Flex BlazeDS Insecure Xml Entity Expansion  

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Apache Flex BlazeDS 4.7.0

Description: When receiving XML encoded AMF messages containing DTD  
entities, the
default XML parser configurations allows expanding of entities to local  
A request that included a specially crafted request parameter could be  
used to
access content that would otherwise be protected.

Mitigation: All users of Apache Flex BlazeDS prior to 4.7.1

Example: For an AMF message that contains the following xml payload:
<?xml version="1.0" encoding="ISO-8859-1"?>
  <!DOCTYPE foo [
    <!ELEMENT foo ANY >
    <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
the entity &xxe; would be expanded to the content of the file /etc/passwd.
However this expanded information is not automatically transferred back to
the client, but could be made available by the application.

Credit: This issue was discovered by ´╗┐Matthias Kaiser of Code White


Christofer Dutz

Powered by blists - more mailing lists