| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <op.x3l5qewzn9yd54@christofers-mbp>
Date: Wed, 19 Aug 2015 13:48:04 +0200
From: "Christofer Dutz" <cdutz@...che.org>
To: security@...che.org, oss-security@...ts.openwall.com,
bugtraq@...urityfocus.com, dev@...x.apache.org, users@...x.apache.org
Subject: CVE-2015-3269 Apache Flex BlazeDS Insecure Xml Entity Expansion
Vulnerability
CVE-2015-3269 Apache Flex BlazeDS Insecure Xml Entity Expansion
Vulnerability
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: Apache Flex BlazeDS 4.7.0
Description: When receiving XML encoded AMF messages containing DTD
entities, the
default XML parser configurations allows expanding of entities to local
resources.
A request that included a specially crafted request parameter could be
used to
access content that would otherwise be protected.
Mitigation: All users of Apache Flex BlazeDS prior to 4.7.1
Example: For an AMF message that contains the following xml payload:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
the entity &xxe; would be expanded to the content of the file /etc/passwd.
However this expanded information is not automatically transferred back to
the client, but could be made available by the application.
Credit: This issue was discovered by Matthias Kaiser of Code White
References:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
Christofer Dutz
Powered by blists - more mailing lists