[Bug 63899] New: xxe vulnerability

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 63899] New: xxe vulnerability

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63899

            Bug ID: 63899
           Summary: xxe vulnerability
           Product: POI
           Version: 4.1.0-FINAL
          Hardware: PC
                OS: Mac OS X 10.1
            Status: NEW
          Severity: blocker
          Priority: P2
         Component: XSSF
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: ---

Created attachment 36868
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=36868&action=edit
pw: test123

Apache POI's latest version 4.1.1 is still vulnerable to XXE vulnerability
while uploading the XLSX file.
An XXE attack can be made by adding Doc Type declaration in the
sharedStrings.xml file. Current implements block vulnerability if it is
injected in all other XML files but doesn't when added in sharedStrings.xml
file.
Please do the needful.
The vulnerable file is attached.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63899] xxe vulnerability

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63899

--- Comment #1 from PJ Fanning <[hidden email]> ---
That DTD is benign.

If you use XSSFWorkbook, XMLBeans is used to load the sharedstrings.xml.

XMLBeans can be configured to control some of the XML Parser behaviours
(org.apache.poi.ooxml.POIXMLTypeLoader.DEFAULT_XML_OPTIONS).

The XML parser secure processing flags are enabled by default so malicious DTDs
should be rejected.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63899] xxe vulnerability

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63899

Dominik Stadler <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |NEEDINFO

--- Comment #2 from Dominik Stadler <[hidden email]> ---
Please follow the security reporting guidelines for Apache projects described
at https://www.apache.org/security/, i.e. ideally the report is sent to a
mailing list only at first to not make any potential security issue publicly
available immediately.

Also please include code to show the problem that you see, as it seems we
cannot reproduce the described behavior just off of the xlsx file. Especially
what do you mean with "uploading" and which code is used to demonstrate the
problem.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63899] xxe vulnerability

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63899

--- Comment #3 from Santosh Pandey <[hidden email]> ---
Ok Sorry, sending issue on email list, closing this here

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63899] xxe vulnerability

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63899

--- Comment #4 from Santosh Pandey <[hidden email]> ---
You can delete this bug

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 63899] xxe vulnerability

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=63899

Dominik Stadler <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Status|NEEDINFO                    |RESOLVED

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]