Open mrbrutti opened 7 years ago
Any updates here ? It's been open for a long time.
XML Security Library 1.2.24 release (April 20 2017) disabled external entities loading by default to prevent XXE attacks (d-hat) https://www.aleksey.com/xmlsec/
Should this be closed?
Description
An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.
Whenever xmlsec verifies, encrypt, decrypt an XML document the parse by default reads external entities resulting on an XXE Vulnerability.
The vulnerable code xmlsec.go
https://github.com/RobotsAndPencils/go-saml/blob/master/xmlsec.go#L51
https://github.com/RobotsAndPencils/go-saml/blob/master/xmlsec.go#L92
Proof of Concept of xmlsec
Listener:
Recommendations
Even though the vulnerability is not directly responsible to go-saml. It is my recommendation that the go-saml library be more proactive and pre-filters any external DTDs by not allowing any of those during the marshall/unmarshall, instead of using the originalString at the time of signed/verify the SAML XML string using the vulnerable version of xmlsec/libxml2 libraries until the time the vulnerability can be correctly patched by itself.
For more information refer to: