usdAG
[Security] XmlFullSignature operation is vulnerable to XML External Entity Injection (XXE)
Attention: The XmlFullSignature operation is vulnerable to XXE. This has the following implications:
- Depending on your use case of CSTC, you are directly vulnerable to this attack. E.g. if you enable CSTC with the
XmlFullSignatureoperation for the proxy, any website you browse is potentially able to exfiltrate local files. - The vulnerability may lead to false positive findings for your test subject, as the injection takes place on your machine but may appear to be a vulnerability of your subject.
Work around: Until a fix is available, I would recommend to do not use the vulnerable XmlFullSignature operation.
Proof of Concept
Example Payload:
GET / HTTP/1.1
Host: poc.local
Content-Type: text/xml
<?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]><root>&test;</root>
Arrange your lanes as follows:
Vulnerable Code Snippet
https://github.com/usdAG/cstc/blob/48b8fd252e987e27d4e97a547593e5605ee92167/src/de/usd/cstchef/operations/signature/XmlFullSignature.java#L27
Proposed Fix
The DocumentBuilder should be configured to disable external entities:
dbf.setExpandEntityReferences(false);
The fix should be thoroughly tested before merge. Further, CSTC includes more XML operations that need review, too.
Hi there!
Looks like the fix referenced in this issue should be included in the latest release v1.3.0: https://github.com/usdAG/cstc/commits/v1.3.0 If this is the case, feel free to close this issue.
Best regards and have a great day, Lauritz
Hi, yes the fix is included in the new release, thanks again for contributing! :+1:
