[GeoNetwork-devel] XML External Entity Injection on GN 2.10.3 Services

Hi, Gurus,

Recently, I have my GeoNetwork portal scanned by Accunetix.com for security reasons. Accunetix reported that the following services are vulnerable to XML External Entity Injection.

/geonetwork/srv/eng/password.forgotten.form
/geonetwork/srv/eng/password.forgotten.submit
/geonetwork/srv/eng/q
/geonetwork/srv/eng/rss.search
/geonetwork/srv/eng/search
/geonetwork/srv/eng/user.register.submit
/geonetwork/srv/eng/xml.search

For instance of “password.forgotten.form”, this service can be POSTed with the following xml data:

<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE dtnhh3j [ ]>

<password.forgotten.form>&dtnhh3jent;</password.forgotten.form>

That means this service can be possibly exploited to disclose sensitive data.

I looked around and can’t figure out where to report this security vulnerabilities. I posted it here.

Maybe, I may miss doing some security configuration which may easily fix it.

If it indeed turns out to be a security vulnerability, what source codes should I look into? I read through XMLSearch.java, but it does not seem the right place to fix due to my limited Java security knowledge. It looks to me that these services does not use “ENTITY” explicitly. So, where are the correct places I could add a security check on each of the services, for example

DOM










DocumentBuilderFactory dbf =`` ``DocumentBuilderFactory.newInstance();
dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, ``true``);

SAX

SAXParserFactory spf = SAXParserFactory.newInstance();

spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, ``true``);

``

Right now, I have to shut down the GN portal until this security issue can be resolved. Any Guru can help or any insight ?

By the way, I am using JDK 8.

Steve