Uploaded image for project: 'OpenMRS Core'
  1. OpenMRS Core
  2. TRUNK-3942

Possible XXE attacks when parsing downloaded xml files

    XMLWordPrintable

    Details

    • Complexity:
      Medium

      Description

      This issues was discovered by Timothy D. Morgan during the FLOSSHack event.

      See article on XXE attacks.

      Update RDF files seem to be downloaded via HTTPS, which authenticates
      them. However, if these are ever distributed from an insecure source
      or over an insecure channel, then they would likely be parsed with XML
      external entity support enabled.

      Extra credit for finding other parts of the code base that download xml files and parse them.

      Example code that is vulnerable is in:

      UpdateFileParser.java

              /**
               * Parse the contents of the update.rdf file.
               *
               * @throws ModuleException
               */
              public void parse() throws ModuleException {
                      StringReader stringReader = null;
                      try {
                              Document updateDoc = null;
                              try {
                                      stringReader = new StringReader(content);
                                      InputSource inputSource = new InputSource(stringReader);
                                      inputSource.setSystemId("./");
                                      DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
                                      DocumentBuilder db = dbf.newDocumentBuilder();
                                      updateDoc = db.parse(inputSource);
                              }
                              catch (Exception e) {
                                      log.warn("Unable to parse content");
                                      throw new ModuleException("Error parsing update.rdf file: " + content, e);
                              }
      

        Attachments

          Activity

            People

            Assignee:
            lluismf Lluis Martinez
            Reporter:
            wyclif Wyclif Luyima
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 4 hours
                4h
                Remaining:
                Time Spent - 30 minutes Remaining Estimate - 3 hours, 30 minutes
                3h 30m
                Logged:
                Time Spent - 30 minutes Remaining Estimate - 3 hours, 30 minutes
                30m