Hi,
Our client has identified a security vulnerability issue using XML Entity Expansion in our Smart client UI.
This is the issue he has reported :
The application is configured to process recursively defined XML entities, which may lead to a denial of service condition if a sufficiently large set of recursive entity references is defined in the XML request.
An XML entity or named entity is an association between a reference (the entity) and a string. When the XML parser sees an entity in the body of a document, it performs a lookup to find the string associated with the entity. Once found, this string is substituted for the entity name in the document body.
As an example, consider the following XML file: <!DOCTYPE root [ <!ENTITY ha SYSTEM "Hello World!"> ]> <root>&ha;</root>
The XML parser will first load the entity definition in memory and then, when it sees “&ha”; it will replace it with the definition of the entity, which in this example is "Hello World!". Here is the resulting XML document in memory: <root>Hello World!</root>
The application XML parser will also recursively expand Document Type Definition (DTD) entities while parsing XML documents. The XML entity expansion attack targets parser memory consumption by utilizing recursion in XML entity definitions. The following XML document DOCTYPE requires the parser to make approximately 257 recursions (2n+1 where n equals 128 here): <!DOCTYPE root [ <!ENTITY ha0 "content"> <!ENTITY ha1 "&ha0; &ha0;"> <!ENTITY ha2 "&ha1; &ha1;"> … <!ENTITY ha128 '&ha127; &ha127;'> ]> <root>&ha128;</root>
A malicious user may be able to supply a relatively small XML document containing a large number of internal recursive DTD (Document Type Definition) references which would be expanded by the parser into a large quantity of text in memory. The time required to process these DTD references and the large amount of memory consumed by the process may lead to a denial of service condition on applications that utilize the XML parser. During such an attack, legitimate application users would experience extensive delays or be completely unable to access the application.
Remediation:
Depending on system requirements, one of the following options is available to prevent XML entity expansion attacks:
* Disable entity expansion when possible.
* Limit the number of entity reference nodes that the parser can expand.
* Limit the number of characters entities can expand to.
Do you have any fix to resolve this issue in SmartClient ?
Our client has identified a security vulnerability issue using XML Entity Expansion in our Smart client UI.
This is the issue he has reported :
The application is configured to process recursively defined XML entities, which may lead to a denial of service condition if a sufficiently large set of recursive entity references is defined in the XML request.
An XML entity or named entity is an association between a reference (the entity) and a string. When the XML parser sees an entity in the body of a document, it performs a lookup to find the string associated with the entity. Once found, this string is substituted for the entity name in the document body.
As an example, consider the following XML file: <!DOCTYPE root [ <!ENTITY ha SYSTEM "Hello World!"> ]> <root>&ha;</root>
The XML parser will first load the entity definition in memory and then, when it sees “&ha”; it will replace it with the definition of the entity, which in this example is "Hello World!". Here is the resulting XML document in memory: <root>Hello World!</root>
The application XML parser will also recursively expand Document Type Definition (DTD) entities while parsing XML documents. The XML entity expansion attack targets parser memory consumption by utilizing recursion in XML entity definitions. The following XML document DOCTYPE requires the parser to make approximately 257 recursions (2n+1 where n equals 128 here): <!DOCTYPE root [ <!ENTITY ha0 "content"> <!ENTITY ha1 "&ha0; &ha0;"> <!ENTITY ha2 "&ha1; &ha1;"> … <!ENTITY ha128 '&ha127; &ha127;'> ]> <root>&ha128;</root>
A malicious user may be able to supply a relatively small XML document containing a large number of internal recursive DTD (Document Type Definition) references which would be expanded by the parser into a large quantity of text in memory. The time required to process these DTD references and the large amount of memory consumed by the process may lead to a denial of service condition on applications that utilize the XML parser. During such an attack, legitimate application users would experience extensive delays or be completely unable to access the application.
Remediation:
Depending on system requirements, one of the following options is available to prevent XML entity expansion attacks:
* Disable entity expansion when possible.
* Limit the number of entity reference nodes that the parser can expand.
* Limit the number of characters entities can expand to.
Do you have any fix to resolve this issue in SmartClient ?
Comment