[Bug 63664] New: Veracode security issue-Improper Restriction of XML External Entity Reference CWE ID 611 in OOXMLPrettyPrint

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 63664] New: Veracode security issue-Improper Restriction of XML External Entity Reference CWE ID 611 in OOXMLPrettyPrint

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63664

            Bug ID: 63664
           Summary: Veracode security issue-Improper Restriction of XML
                    External Entity Reference CWE ID 611 in
                    OOXMLPrettyPrint
           Product: POI
           Version: 4.0.x-dev
          Hardware: PC
            Status: NEW
          Severity: major
          Priority: P2
         Component: SXSSF
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: ---

The product processes an XML document that can contain XML entities with URLs
that resolve to documents outside of the intended sphere of control, causing
the product to embed incorrect documents into its output. By default, the XML
entity resolver will attempt to resolve and retrieve external references. If
attacker-controlled XML can be submitted to one of these functions, then the
attacker could gain access to information about an internal network, local
filesystem, or other sensitive data. This is known as an XML eXternal Entity
(XXE) attack.

Recommendations
Configure the XML parser to disable external entity resolution.

Flaw Id: 7
Module:  poi-ooxml-4.1.0.jar
Location : OOXMLPrettyPrint.java 108

Flaw Id: 8
Module:  poi-ooxml-4.1.0.jar
Location : OOXMLPrettyPrint.java 135

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63664] Veracode security issue-Improper Restriction of XML External Entity Reference CWE ID 611 in OOXMLPrettyPrint

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63664

Andreas Beeker <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 OS|                            |All

--- Comment #1 from Andreas Beeker <[hidden email]> ---
Every now and then we get findings on dev classes, which aren't meant for
production code, but do reside in the release.

These dev/sample classes usually don't get much attention after they've been
thrown in the trunk. I would prefer to move those classes to the test area or
link something like a github project, so it's neither POIs direct
responsibility nor do those cases bubble up when the library get scanned ...
more important, we'd get results for real production code problems ...

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63664] Veracode security issue-Improper Restriction of XML External Entity Reference CWE ID 611 in OOXMLPrettyPrint

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63664

--- Comment #2 from PJ Fanning <[hidden email]> ---
I made a change (https://svn.apache.org/repos/asf/poi/trunk@1865720) - but I
agree that we should move these util classes to new code base to keep them out
of the jars we publish to maven central.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]