Uploaded image for project: 'OpenMRS Core'
  1. OpenMRS Core
  2. TRUNK-3942

Possible XXE attacks when parsing downloaded xml files

    XMLWordPrintable

    Details

      Description

      This issues was discovered by Timothy D. Morgan during the FLOSSHack event.

      See article on XXE attacks.

      Update RDF files seem to be downloaded via HTTPS, which authenticates
      them. However, if these are ever distributed from an insecure source
      or over an insecure channel, then they would likely be parsed with XML
      external entity support enabled.

      Extra credit for finding other parts of the code base that download xml files and parse them.

      Example code that is vulnerable is in:

      UpdateFileParser.java

              /**
               * Parse the contents of the update.rdf file.
               *
               * @throws ModuleException
               */
              public void parse() throws ModuleException {
                      StringReader stringReader = null;
                      try {
                              Document updateDoc = null;
                              try {
                                      stringReader = new StringReader(content);
                                      InputSource inputSource = new InputSource(stringReader);
                                      inputSource.setSystemId("./");
                                      DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
                                      DocumentBuilder db = dbf.newDocumentBuilder();
                                      updateDoc = db.parse(inputSource);
                              }
                              catch (Exception e) {
                                      log.warn("Unable to parse content");
                                      throw new ModuleException("Error parsing update.rdf file: " + content, e);
                              }
      

        Gliffy Diagrams

          Attachments

            Activity

              People

              Assignee:
              lluismf Lluis Martinez
              Reporter:
              wyclif Wyclif Luyima
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 4 hours
                  4h
                  Remaining:
                  Time Spent - 30 minutes Remaining Estimate - 3 hours, 30 minutes
                  3h 30m
                  Logged:
                  Time Spent - 30 minutes Remaining Estimate - 3 hours, 30 minutes
                  30m