Issue: Check for XML XXE/XEE Vulnerabilities

Issue Tools
- View Changes

August 12, 2014 3:10 PM

pegasus

VaultWiki Team

Check for XML XXE/XEE Vulnerabilities

Check that VaultWiki 4 is not vulnerable to XXE and XEE attacks. While VaultWiki only uses XML for responses from whitelisted sites (e.g. PayPal) and for upgrade XML files, should VaultWiki implement an RSS importer in the future (technically it's a regression of a VaultWiki 3 feature), then this possibile vulnerability needs to first be addressed.

Issue Details

Issue Number 3913

Issue Type Task

Project VaultWiki 4.x Series

Category Permissions / Security

Status Completed

Priority 1 - Security / Login / Data Loss

Target Version 4.0.0 RC 1

Resolved Version (none)

Milestone VaultWiki 4.0 Gold

Software DependencyAny

License TypePaid

Votes to perform 0

Votes not to perform 0

Attachments 0

Assigned Users (none)

Tags (none)

August 13, 2014 5:00 PM

pegasus

VaultWiki Team

VaultWiki is not vulnerable. Since VaultWiki automatically wraps incoming XML in a fake root element (originally designed to make traversing the DOM consistent with vBulletin 3 behavior), this makes any embedded entity definitions become invalid and the parser exits due to the XML being invalid.

Reply

+ Reply

All times are GMT -4. The time now is 11:32 PM.

This site uses cookies to help personalize content, to tailor your experience, and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.

Learn more… Accept Remind me later

Welcome to VaultWiki.org, home of the wiki add-on for vBulletin and XenForo!

Issue: Check for XML XXE/XEE Vulnerabilities

Issue Tools