[Simple-support] Simple External Entity injection
Brought to you by:
niallg
Menu
▾
▴
[Simple-support] Simple External Entity injection
|
From: Adam Z. <ad...@ma...> - 2013-10-18 15:30:55
|
Hello, I'm using Simple framework in the implementation of client application to our NDS2(http://blog.psnc.pl/tnc2013/en/nds2/) service. Our security department conducted penetration tests of the application and they found a security bug related to how XML external entities are proceeding in Simple. This is so called XXE: https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing The usual fix in such a case is to turn EE parsing off within the parser. Unfortunately I can not find any option in Simple to do that. Could you please help me with this issue? If Simple does not provide such an option it should be considered as a security flaw in Simple itself. Kind regards, Adam Zawada -- Adam Zawada Poznan Supercomputing and Networking Center Supercomputing Department http://rose.man.poznan.pl/~adam/ phone (+48 61) 858 21 93 |
