| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <op.x8j4mv0bn9yd54@christofers-macbook-pro.local> Date: Mon, 23 Nov 2015 15:17:09 +0100 From: "Christofer Dutz" <cdutz@...che.org> To: dev@...x.apache.org, "users@...x.apache.org" <users@...x.apache.org>, security@...che.org, oss-security@...ts.openwall.com, bugtraq@...urityfocus.com Subject: CVE-2015-5255: SSRF vulnerability in Apache Flex BlazeDS 4.7.1 CVE-2015-5255: SSRF vulnerability in Apache Flex BlazeDS 4.7.1 Severity: Important Vendor: The Apache Software Foundation Versions Affected: BlazeDS 4.7.0 and 4.7.1 Description: The code in BlazeDS to deserialize AMF XML datatypes allows so-called SSRF Attacks (Server Side Request Forgery) in which the server could contact a remote service on behalf of the attacker. The attacker could hereby circumvent firewall restrictions. Mitigation: 4.7.x users should upgrade to 4.7.2 Example: For XML object containing the following string representation: <!DOCTYPE foo PUBLIC "-//VSR//PENTEST//EN" "http://protected-server/protected-service"><foo>Some content</foo> The server could access the url: http://protected-server/protected-service Even if directly accessing this resource is prevented by firewall rules. Credit: This issue was discovered by James Kettle of PortSwigger Ltd. References: http://www.vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf Christofer Dutz
Powered by blists - more mailing lists