Follow @EthHackingNews |
Figure 2: Apache Santuario added a disclaimer suggesting to not use the xml-security-c library
xml-security-c
library. If so, the software may have a server-side request forgery vulnerability unless the code is patched.xml-security-c
may be very limited, or it may be inconvenient to recompile the library when it is obtained in binary form. If developers can pinpoint each use of the XSECProvider
class, they can call the setDefaultURIResolver
method on the XSECProvider
object, passing a custom implementation of XSECURIResolver
that simply does nothing. This avoids the need to recompile xml-security-c
and ensures the software remains secure if it is ever linked against the stock xml-security-c
.xml-security-c
library to make it secure by default with regard to URI resolution. Mandiant developed a patch to supersede the vulnerable XSECURIResolverXerces
with a new default XSECURIResolverNoop
that does nothing, thus fixing the SSRF. By applying the patch and recompiling, the library will not be susceptible to this form of SSRF. Note that any legitimate uses of external URIs would need to be changed to manually specify XSECURIResolverXerces
as the default URI resolver.
Follow @EthHackingNews |