Configuration to prevent XXE


Kindly guide how to prevent XXE attack for lucee version? I have referred to [LDEV-1676] - Lucee and Application.cfc / <cfapplication> :: Lucee Documentation
and added all 3 properties in application.cfc, still it allows external entities and thus allows retrieval of arbitrary files.

Appreciate any help suggested.


Can you share the full code of your repro case?

Any thoughts here? let me know if any other information required…

a working example really helps, bonus points if you can provide a testbox testcase :slight_smile:

tried the already existing testcase -

and still parsed the external entities, pls guide if I have set the xmlFeatures correctly here…

this.xmlFeatures is an Application.cfc setting, so that’s not going to work on trycf like that

So may be I can say it is the same kind of entity xxe , that can be added to xml and causes XXE vulnerability for the code even after adding the this.xmlFeatures in Application.cfc

so it is done by inserting below to soap body:

we’ve added a test case for the XXE configurations

if you think there’s a problem, please file a PR to extend the test case to demonstrate the problem?