Friday, July 17, 2009

Jersey, your code, might be vulnerable to XXE attack

XXE is an interesting security hole where you use entity expansion in an XML document. Take for example the following xml file:

<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>

You might get the following response from a jersey service depending on how your XML parser in configured:

<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<search><response>User root:x:0:0:root:/root:/bin/bash
not found</reponse></search>

There is a bunch of stuff in this thread on how to disable this expansion by default. This is fixed in the latest builds of Jersey 1.1.1ea so it is recommended that you upgrade. This does reproduce when running Jersey on weblogic so this is of interest. (Doesn't affect the JAX-WS stack)

Of course it is possible that any general xml parsing code you have might be vulnerable so it is worth understanding the problem so you can prevent it from happening in your application.

No comments: