[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] XXE Injection in Spring Framework

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] XXE Injection in Spring Framework
From: "/-\\\\ndrew /\\//ady" <andrew@xxxxxxxxxxxxxx>
Date: Mon, 4 Nov 2013 11:26:02 -0800

Hi,
Was Pivotal informed about these advisories and was there any collaboration 
from them?
The current stable is 3.2.4

Thanks,
A.


On Saturday, November 02, 2013 07:04:59 AM MustLive wrote:
> Hello!
> 
> I'll give you additional information concerning advisory XML External
> Entity (XXE) Injection in Spring Framework
> (http://securityvulns.ru/docs29758.html).
> 
> -------------------------
> Affected products:
> -------------------------
> 
> - 3.0.0 to 3.2.3 (Spring OXM & Spring MVC)
> - 4.0.0.M1 (Spring OXM)
> - 4.0.0.M1-4.0.0.M2 (Spring MVC)
> - Earlier unsupported versions may also be affected
> 
> -------------------------
> Affected vendors:
> -------------------------
> 
> Spring by Pivotal.
> 
> ----------
> Details:
> ----------
> 
> The Spring OXM wrapper doesn't disable external entity resolution when
> using the JAXB unmarshaller (SAXSource and StreamSource instances are
> vulnerable). Also Spring MVC processes user provided XML with JAXB in
> combination with a StAX XMLInputFactory without disabling external entity
> resolution.
> 
> Besides standard vectors of attacks with XXE Injection vulnerabilities
> (such as local file inclusion), which are usually mentioned in advisories,
> XXE Injection also allows to conduct attacks on other sites. And with
> using DAVOSET (DDoS attacks via other sites execution tool) it's possible
> to automate such attacks.
> 
> I wrote about such attacks in my 2012's article "Using XML External
> Entities (XXE) for attacks on other sites"
> (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2012-
> August/008481.html) and 2013's "Using XXE vulnerabilities for attacks on
> other sites"
> (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-
> August/008887.html). As I described in my articles, XXE vulnerabilities can
> be used for conducting CSRF and DoS attacks on other sites (and at using
> multiple web sites it's possible to conduct DDoS attacks). And my tool
> DAVOSET can be used for conducting such attacks via XXE vulnerabilities.
> 
> In October I released video demonstration of DAVOSET:
> http://www.youtube.com/watch?v=RKi35-f346I
> 
> So all vulnerable web applications with affected versions of Spring
> Framework can be used for attacks on other sites via XXE Injection.
> 
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] XXE Injection in Spring Framework
  - From: MustLive

Prev by Date: [Full-disclosure] XSS and FPD vulnerabilities in LBG Zoom In/Out Effect Slider for WordPress
Next by Date: Re: [Full-disclosure] ASUS RT-N13U Unsecured Telnet on LAN and WAN
Previous by thread: [Full-disclosure] XXE Injection in Spring Framework
Next by thread: Re: [Full-disclosure] XXE Injection in Spring Framework
Index(es):
- Date
- Thread