Menu

#267 XXE security vulnerability

v1.0_(example)
closed-fixed
Jon Iles
None
5
2015-04-29
2015-04-22
Russell
No

Xml External Entities (XXEs) are allowed when reading a Primavera XML file using the PrimaveraPMFileReader. This is a security vulnerability as discussed here https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing

The easiest solution to preventing XXEs is to disallow the doctype declaration entirely as shown here http://blog.csnc.ch/2012/08/secure-xml-parser-configuration/

If you can add

factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

around line 136 of PrimaveraPMFileReader.java it should solve the problem

Discussion

  • Jon Iles

    Jon Iles - 2015-04-29

    Thanks for raising this. The code now in Git contains your suggested fix.

     

  • Jon Iles

    Jon Iles - 2015-04-29
    • status: open --> closed-fixed
    • assigned_to: Jon Iles
     

Log in to post a comment.