How to disable DOCTYPE parsing in the XML parser(Seam Remoting 2.2.4) in EAP?

Solution Unverified - Updated -

Issue

  • XML external entity injection uses the DOCTYPE tag to the injected entity. It will assign the contents of the /etc/passwd file to the entity xxe5a4be which is then used in the string parameter. Thus causing an error in the parser and the contents of the /etc/passwd file to be returned to the attacker. Is it possible to disable DOCTYPE parsing to avoid this security threat?
    For example :
"<!DOCTYPE foo [<!ENTITY xxe5a4be SYSTEM "file:///etc/passwd"> ]>" injected into request  and "<str>2123&xxe5a4be;</str>" is manipulated.

Example Request:

POST /abz/xyz/execute HTTP/1.1 Host: xxx.ABC.com Content-Length: 315 <!DOCTYPE foo [<!ENTITY xxe5a4be SYSTEM "file:///etc/passwd"> ]><envelope><header><context></context></header><body><call component="anyHelper" method="getList" id="0"> <params><param><str>2123&xxe5a4be;</str></param><param><str>device</str></param></params><refs></refs></call></body></envelope>

This will assign the contents of the /etc/passwd file to the entity xxe5a4be which is then used in the string parameter. This file being included then causes an error in the parser which causes the file to be returned to the attacker.

HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1 Content-Type: text/xml Content-Length: 3934 Date: Wed, 18 Dec 2013 22:56:20 GMT <envelope><header><context><conversationId>20270</conversationId></context></header><body><result id="0"><exception><message><str>org.hibernate.QueryException%3A%20unexpected%20char%3A%20%27%26%27%20%5Bselect%20pt%20from%20com.uisol.dashboard.model.PortletTab%20pt%20where%20pt.templateFlag%20%3D%200%20and%20pt.tabId%20in%20%282123%26xxe5a4be%3B%3Ax%3A0%3A0%3Aroot%3A%2Froot%3A%2Fbin%2Fbash%0Abin%3Ax%3A1%3A1%3Abin%3A%2Fbin%3A%2Fsbin%2Fnologin%0Adaemon%3Ax%3A2%3A2%3Adaemon%3A%2Fsbin%3A%2Fsbin%2Fnologin%0Aadm%3Ax%3A3%3A4%3Aadm%3A%2Fvar%2Fadm%3A%2Fsbin%2Fnologin%0Alp%3Ax%3A4%3A7%3Alp%3A%2Fvar%2Fspool%2Flpd%3A%2Fsbin%2Fnologin%0Async%3Ax%3A5%3A0%3Async%3A%2Fsbin%3A%2Fbin%2Fsync%0Ashutdown%3Ax%3A6%3A0%3Ashutdown%3A%2Fsbin%3A%2Fsbin%2Fshutdown%0A

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 5.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content