A potential XXE vulnerability found on rhino

[brianwrf]

Howdy,

Just found a potential XXE vulnerability on rhino as show below, it seems function toXml didn't add any protection from XXE vulnerability when parsing XML document.

https://github.com/mozilla/rhino/blob/master/xmlimplsrc/org/mozilla/javascript/xmlimpl/XmlProcessor.java#L225

You may need to follow the OWASP guide below which provides concise information to prevent this vulnerability.
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#Java

Thanks,
Brian

[nightwatchcyber]

@gbrail / @rbri - did someone from the Rhino project team have a chance to look at this issue?

[dipaktilekar]

@brianwrf Can you help us understand the vulnerability with some attack vector?

The reason i am asking is:

• I wrote a main method in XmlProcessor.java to verify toXml vulnerability and tried few xmls with below entity attack.

     <!DOCTYPE foo [<!ELEMENT foo ANY >
     <!ENTITY xxe SYSTEM "/" >]>

• But it failed with "Scanner State 24 not Recognized". I believe Java Parser is not allowing DOCTYPE injection (i.e. state 24).

TypeError: Cannot parse XML: Scanner State 24 not Recognized (_2B0601040181900D819C200A819C200100#94)
Execution time: 446.0 ms
org.xml.sax.SAXException: Scanner State 24 not Recognized
at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(DOMParser.java:271)
at com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:347)
at org.mozilla.javascript.xmlimpl.XmlProcessor.toXml(XmlProcessor.java:274)
at org.mozilla.javascript.xmlimpl.XmlProcessor.main(XmlProcessor.java:401)

So not sure if this is truly vulnerable. Please correct me if i am wrong.

FYI - @nightwatchcyber @gbrail @rbri

[gbrail]

Looking at the code, and sticking in a handy "printf," I see that although there are standard APIs now to disable external entity fetching, we're not explicitly disabling that feature, so in theory we could be vulnerable. It'd be a simple change to put in the code, if someone is looking for a good first PR... The JavaDoc makes it clear what to do for recent Java versions: https://docs.oracle.com/en/java/javase/12/docs/api/java.xml/javax/xml/parsers/DocumentBuilderFactory.html#setAttribute(java.lang.String,java.lang.Object)

…

On Wed, Aug 28, 2019 at 2:54 PM git4dipu ***@***.***> wrote: @brianwrf <https://github.com/brianwrf> Can you help us understand the vulnerability with some attack vector? The reason i am asking is: - I wrote a main method in XmlProcessor.java to verify toXml vulnerability and tried few xmls with below entity attack. ]> - But it failed with "Scanner State 24 not Recognized". I believe Java Parser is not allowing DOCTYPE injection (i.e. state 24). TypeError: Cannot parse XML: Scanner State 24 not Recognized (_2B0601040181900D819C200A819C200100#94) Execution time: 446.0 ms org.xml.sax.SAXException: Scanner State 24 not Recognized at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(DOMParser.java:271) at com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:347) at org.mozilla.javascript.xmlimpl.XmlProcessor.toXml(XmlProcessor.java:274) at org.mozilla.javascript.xmlimpl.XmlProcessor.main(XmlProcessor.java:401) So not sure if this is truly vulnerable. Please correct me if i am wrong. FYI - @nightwatchcyber <https://github.com/nightwatchcyber> @gbrail <https://github.com/gbrail> @rbri <https://github.com/rbri> — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#479?email_source=notifications&email_token=AAD7I27NV56QPW5AO6JCN6LQG3XX5A5CNFSM4FXYLJFKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD5MSYGI#issuecomment-525937689>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAD7I2Z44EHGJKWVHJ5X5P3QG3XX5ANCNFSM4FXYLJFA> .

[tonygermano]

@gbrail I think this issue should have been closed with #600