XML Embedded DTDs

Description

• See CWE-827
• XML allows for validation of their input using Document Type Definitions (DTDs). These DTDs are pretty flexible, and allow for things like reading in external files. However, users can embed their own DTDs in the header of an XML file, thereby accessing the file system directly.

Mitigations

• In most languages, you can disable validation of embedded DTDs with ease.
• However, make sure you test this closely, as Java’s built-in SAX parser does not always respect setValidating(false) and setExpandEntityReferences(false) depending on the environment. In that case, you need to override the entity resolver (see the given example).

Historical Examples

• The web service framework Apache CXF had one of these in CVE-2010-2076. The provided a significant discussion of what this vulnerability means to them in the attached PDF in their bug.
• Python has a package called defusedxml that fixes this problem. Their discussion is quite illuminating.

Notes

• Ironically, DTDs were originally intended for XML validation, but it got warped into more of a user convenience. So yes, fixing this vulnerability means turning off “validation”.
• A similar vulnerability is the XML bomb, which expands XML entities expoentially (causing a DoS by filling up the memory). However, most XML parsers have limiting defaults for expanding XML entities, so that XML bombs are (practically speaking) no longer an issue as long as developers don’t explicitly turn off the limits. An example XML bomb is included in the above zip.

Running the Demo

  $ cd xml-dtd
  $ make