Configuration to prevent XXE

swattiguptaa · September 5, 2022, 3:59pm

Hi,

Kindly guide how to prevent XXE attack for lucee 5.3.9.133 version? I have referred to [LDEV-1676] - Lucee and Application.cfc / <cfapplication> :: Lucee Documentation
and added all 3 properties in application.cfc, still it allows external entities and thus allows retrieval of arbitrary files.

Appreciate any help suggested.

Thanks,
SG

bdw429s · September 5, 2022, 5:25pm

Can you share the full code of your repro case?

Zackster · September 5, 2022, 6:48pm

github.com

lucee/Lucee/blob/6.0/core/src/main/cfml/context/admin/Application.cfc#L37


      
          this.setdomaincookies="no"; 
          this.applicationtimeout="#createTimeSpan(1,0,0,0)#";
          this.localmode="update";
          this.web.charset="utf-8";
          this.sessionCookie.httpOnly = true; // prevent access to session cookies from javascript
          this.sessionCookie.sameSite = "strict";
          this.sessionCookie.path = getAppFolderPath();  // the admin is always in a folder nested two directories deep
          this.tag.cookie.sameSite = "strict";
          this.tag.cookie.path = getAppFolderPath();
          this.tag.cookie.httpOnly = true; // prevent access to session cookies from javascript
          
          
this.xmlFeatures = {
          	externalGeneralEntities: false,
          	secure: true,
          	disallowDoctypeDecl: true
          };
          
          
request.singleMode=getApplicationSettings().singleContext;
          if(request.singleMode) request.adminType="server";
          public function onRequestStart() {
          	// if not logged in, we only allow access to admin|web|server[.cfm]

swattiguptaa · September 6, 2022, 9:34am

Any thoughts here? let me know if any other information required…

Zackster · September 6, 2022, 9:55am

a working example really helps, bonus points if you can provide a testbox testcase

swattiguptaa · September 6, 2022, 10:29am

tried the already existing testcase - TryCF.com

and still parsed the external entities, pls guide if I have set the xmlFeatures correctly here…

Zackster · September 6, 2022, 10:40am

this.xmlFeatures is an Application.cfc setting, so that’s not going to work on trycf like that

swattiguptaa · September 6, 2022, 10:47am

So may be I can say it is the same kind of entity xxe , that can be added to xml and causes XXE vulnerability for the code even after adding the this.xmlFeatures in Application.cfc

swattiguptaa · September 6, 2022, 1:18pm

so it is done by inserting below to soap body:

Zackster · September 7, 2022, 12:59pm

we’ve added a test case for the XXE configurations

if you think there’s a problem, please file a PR to extend the test case to demonstrate the problem?