Headline

CVE-2023-27480: XWIKI-20320: Disallow DOCTYPE in the XAR descriptor · xwiki/xwiki-platform@e3527b9

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with edit rights on a document can trigger an XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host. This vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1. Users are advised to upgrade. Users unable to upgrade may apply the patch e3527b98fd manually.

2 years ago

CVE

Open in Source

#vulnerability #apache #git

- Actions
  
  Automate any workflow
- Packages
  
  Host and manage packages
- Security
  
  Find and fix vulnerabilities
- Codespaces
  
  Instant dev environments
- Copilot
  
  Write better code with AI
- Code review
  
  Manage code changes
- Issues
  
  Plan and track work
- Discussions
  
  Collaborate outside of code

*   Explore
*   All features
*   Documentation
*   GitHub Skills
*   Blog

- For
- Enterprise
- Teams
- Startups
- Education
- By Solution
- CI/CD & Automation
- DevOps
- DevSecOps
- Case Studies
- Customer Stories
- Resources
- GitHub Sponsors
  
  Fund open source developers

*   The ReadME Project
    
    GitHub community articles
    

*   Repositories
*   Topics
*   Trending
*   Collections

Pricing
Notifications
Fork 447
Code
Pull requests 55
Actions
Projects
Security
Insights

Permalink

Browse files

XWIKI-20320: Disallow DOCTYPE in the XAR descriptor

Loading branch information

Showing 1 changed file with 2 additions and 0 deletions.

@@ -515,6 +515,8 @@ public void readDescriptor(InputStream stream) throws XarException, IOException

DocumentBuilder dBuilder;

try {

// Prevent XXE attack

dbFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

dBuilder = dbFactory.newDocumentBuilder();

} catch (ParserConfigurationException e) {

throw new XarException("Failed to create a new Document builder", e);

0 comments on commit e3527b9

Please sign in to comment.

### Impact Any user with edit rights on a document can trigger a XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host. Example to reproduce: * Create a forget XAR file and inside it, have the following `package.xml` content: ```xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <package> <infos> <name>&xxe;</name> <description> &xxe; Helper pages for creating and listing Class/Template/Sheets</description> <licence></licence> <author>XWiki.Admin</author> ... ``` * Upload it onto a wiki page (e.g. `XXE`) as an attachment (e.g. `test.xar`). * Call the page using `http://localhost:8080/xwiki/bin/view/Main/XXE?sheet=XWiki.AdminImportSheet&file=test.xar` You'll then notice that the displayed UI contains the content of the `/etc/passwd` file. ### Patches The vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1. ### Workarounds You'd...

2 years ago

ghsa

Open in Source

#vulnerability #web #git #java #auth #jira #maven