3 Replies Latest reply on Mar 7, 2016 12:29 PM by vismay2011

    Disable DTD declaration




      How can i disable the doctype declarations, to prevent xxe injection? At the moment, I'm using JBoss 4.2.3 with JBossWS 3.1.1. and i can do stuff like this:


      <!DOCTYPE root
      <!ENTITY xxe SYSTEM "/windows/system32/drivers/etc/hosts">


      And inject the xxe entity in my soap parameters. How can i prevent this from happening? I found this page http://java.sun.com/j2se/1.5.0/docs/guide/xml/jaxp/JAXP-Compatibility_150.html#JAXP_security, which speaks about disabling the dtd declarations. Is this the way to go? Or is there some other way?


      Best Regards


      Roberto Cortez

        • 1. Re: Disable DTD declaration

          I have the exact same problem. The flow goes:


          org.jboss.wsf.stack.jbws.RequestHandlerImpl.processRequest(ln: 447)

          org.jboss.ws.core.soap.MessageFactoryImpl.createMessage(ln: 275)


          At this point the ServiceLoader will find the impl class for EnvelopeBuilder, which is "org.jboss.ws.core.soap.EnvelopeBuilderDOM". This class uses "org.jboss.wsf.common.DOMUtils" to parse the SOAP envelope, which has this: (ln: 95)


          String[] resolvers = { "org.jboss.ws.core.utils.JBossWSEntityResolver", "org.jboss.util.xml.JBossEntityResolver" };


          I can't see how this can be easily configured as the "org.jboss.wsf.common.DOMUtils" class has hard-coded the EntityResolvers to be "org.jboss.ws.core.utils.JBossWSEntityResolver" or "org.jboss.util.xml.JBossEntityResolver" (which the latter would be used if both are available). Both of these would read an inputSource when entities are defined. (e.g. read a file)


          After a fair bit of digging I think either you:


          (1) implement filters to block / filter ENTITY requests on the way in.

          (2) Define your own "org.jboss.ws.core.soap.EnvelopeBuilder" impl class, which can be done by overriding "META-INF/services/org.jboss.ws.core.soap.EnvelopeBuilder" file in "jbossws-core.jar", in which you can specify your own DOMUtils with a custom EntityResolver.


          Hope this helps.

          • 2. Re: Disable DTD declaration

            This vulnerability is fixed from JBossWS 3.3.1.GA

            • 3. Re: Disable DTD declaration

              Can you please tell me the BUG ID and the changes so that I can pull the fix